Reverse NDR attacks


This rule is left disabled by default because you must first completely populate the Approved local addresses list with your users' email addresses.  

Enabling this rule while this list is empty will cause Praetor to reject every single inbound message it processes.

In spite of your efforts to prevent direct attempts to relay mail, we continue to see spammers circumvent what you have done.  They take advantage of the fact that most mail systems will attempt to send a non-delivery report (NDR) when a message cannot be delivered as addressed, and returning the original message contents.

Specifically the details are as follows:

  1. A spam message is created with ...

    1. the intended spam victim's address placed in the sender field, and

    2. a random and fictitious recipient at your domain

  2. Thousands of such messages are sent to your mail server.

  3. Your mail server determines that each message cannot be delivered and starts to send NDR email messages back to what appears to be the sender of the original message, i.e. the spam victim.

While it is true that this is an indirect method since the first part of the message contains a non-delivery report, the spam contents are carried intact to the receiving spam victim.  Even worse, there is an increased probability that the spam victim will read the message thinking that it is a non-delivery report for email he or she actually sent.

The end result is the spammer has attained a new form of mail relaying.  Like the direct approach, it is not the spammer's own mail server that delivers the junk email, but yours.  Once again, your server's resources are being stolen to deliver spam.

CMS calls this a "Reverse NDR" attack.  Many of our larger customers have experienced this, some so badly that 33% or more of the Internet messages are attributed to this attack.  In one extreme case, more than 99% of the 100+ million messages received per day is this spam attack.

Here are some symptoms when you are under Reverse NDR attack:

  1. Your mail server repeatedly gets on one or more DNS Black Lists

  2. Sluggish email delivery  

  3. Outbound queues full of non-delivery notices  

  4. As soon as the outbound queue is cleared, more entries appear upon refreshing the view

  5. Excessive administrator time (hours) to clear outbound queues


Defeating the Reverse NDR attack

Praetor can be used to defeat this indirect relay attack.  This is done as shown in the steps below.  The countermeasure used by this rule is to validate every single recipient against the entries in Praetor's Approved local addresses list.  If any recipient address is not found in this list, the message will automatically get quarantined by Praetor.  Eventually you may want to edit the action and change it from quarantine to reject.


While this rule is very effective, there is a possible complication.  Since this rule will act upon any message that has an invalid recipient that does not exist in the Approved local addresses list, it will also affect those that are incorrectly addressed by a valid sender.  You will need to decide if your company is willing to impede such messages from being received.  Depending on the existence of this reverse NDR attack on your site and its severity, you may or may not want to activate this rule.  

Mitigating this complication, however, is the fact that people who already conduct business with your company typically do so by replying to previously-received messages from your company employees or have their correspondent already in the address book.  Thus the real danger in missing valid messages with this rule in place is likely to be from new and valid senders with whom your company has never exchanged any messages before.  Even so, it is very likely that they are clicking on a URL on a web page to send an email instead of typing the address manually.

As a suggestion, you may want to include typical addresses that can be anticipated as common mistakes with one or more characters omitted or added when typing it.  One such example would be (singular 'sale') instead of (plural 'sales').


Populating the Approved Local Address list

A command-line console application called MODLIST has been developed so that you can easily import and populate any Praetor list, especially this one.  As a command oriented tool, it is even possible for you to automate this process.  Click here to view details about how to export your local user email addresses and use this tool.


Return to Overview