www.cryer.co.uk
Brian Cryer's Web Resources

Reverse NDR

Reverse NDR
A technique used by spammers to use email non-delivery reports (NDRs) to deliver spam. Reverse NDR is sometimes abbreviated to simply RNDR.

EMail servers are often configured to delivery a non-delivery report (NDR) when an email cannot be delivered. This is useful to the sender of an email because it lets them know that their email could not be delivered - typically because the email address was wrong. Some spammers use this behaviour of sending NDRs as a means of using an email server to send out spam. The advantage to the spammer is that they can use this technique to target a server which is not listed on a DNS Block List (see DNSBL) and so circumvent one common way of blocking spam.

A Reverse NDR attack works like this:

  1. The spammer creates an email setting the to-address with a random fictitious email address for a known email domain (say, your email domain!) This email is one that will therefore bounce and be returned with an NDR. The crafty bit is that the From-address is set to the email address of the intended target.
  2. The email server (say your email server!) cannot deliver the email because the email is for an unknown user. It therefore generates a non-delivery notification, sending it back to the "sender". But, the spammer has lied about the sender, supplying instead someone else's email address. The non-delivery notification is therefore sent to the email address of the an innocent victim.
  3. Since non delivery notifications often include the contents of the original email, the server (your server) has now relayed spam on behalf of a spammer to an innocent victim. If the recipient opens the NDR and looks at the email then the delivery of spam is complete and the spammer has successfully spammed another victim.

This technique turns an email server into a form of open relay, and for this reason many DNSBL providers now list servers that send NDRs.

That's how a Reverse-NDR spam attack works, but if you are are responsible for administering an email server then how can you determine whether your server is being used for a RNDR attack? The symptoms are typically:

  • Outbound email delivery queues are full of non-delivery notices.
  • Outbound email slow to be delivered (because of the NDRs).
  • Slow internet connection - because of the NDR traffic.

So, if you are an email system administrator, are there any steps you can take to prevent your server being used for RNDR attacks?

The solution to the problem is to configure the email server to issue an SMTP reject rather than an NDR to the sender. An SMTP reject takes place when a remote client/server connects to the email server, it rejects the connection if the recipient email address is not recognised. The responsibility for issuing an NDR shifts then to the sending server.

For more information see:

© Copyright 2004-2023, A B Cryer, All rights reserved.