It will seem counterintuitive, but in a “Reverse NDR Attack,” the intended target’s e-mail is used as the sender, rather than the recipient. The recipient is a fictitious e-mail address that uses the domain name for the target’s company (call it “bigfirm.com”), such as strawman@bigfirm.com. BigFirm’s mail server cannot deliver the message and sends an NDR e-mail back to the apparent sender of the original message, i.e, the spam target. The return e-mail carries the NDR and probably the original spam message. The target, thinking they may have sent the e-mail, reads both the NDR and the included spam.

Using legitimate e-mail features and processes, spammers are able to “fool” the e-mail system and bypass spam filters. This is not unique to any particular e-mail server. While common, this type of e-mail spamming usually does not disturb the regular processing of e-mail. An attack, however, can flood the inbound mail queue with spam, and cause the e-mail server to fail. Receiving hundreds of thousands of e-mail messages, the system overloads and shuts down.

Like authors of software viruses, spammers are always looking for loopholes. Another form of a NDR attack called “Name Harvesting” tests a myriad of common name combinations against a firm’s domain name (jsmith@bigfirm.com, rsmith@bigfirm.com, tsmith@bigfirm.com, etc.) to find real e-mail addresses to add to their spam directory. Spammers bombard an organization with spam and determine which addresses are valid very quickly. Microsoft moved to close this loophole in January 2005 by releasing a patch called “NDR Tar Pitting” that puts a configurable delay on NDR responses. In addition, Microsoft added the ability to filter recipients and limit e-mail to valid addressees only in Exchange 2003 Service Pack 1.

There are effective tools to combat these attacks such as an Internet firewall. Protection  may start as simply as a few configuration changes to your email, diligence in keeping up with security patches, and proper network maintenance procedures that limit exposure to intrusions.  In some cases you may choose to install additional SMTP Gateway filtering software or an SMTP proxy device to further defend your email system. However, a large scale attack will overwhelm any or all tools in place to prevent it.

There are two ways to curtail NDR attacks:

1) enable “recipient filtering,” setting an Exchange server to not accept e-mail for anything other than a valid address; or

2) invest in a proxy server that is placed between your network and your internet connection.

There are pros and cons to both. Enabling recipient filtering removes the NDR responses and is quick and inexpensive. For now, at least, it will immediately stop these attacks. The down side is that people sending you e-mail will not receive notification if there is a problem with delivering it. Installing a proxy server, on the other hand, will provide more thorough filtering and will keep NDR notification (although it will block some e-mails without NDR notification), but it is expensive, difficult to manage, and not foolproof. T hese devices, however do have other intelligence, such as recognizing a single sender with too many messages, but that will vary by model and manufacturer.