How To Block Ndr Spam



Similar documents
How to keep spam off your network

Patch management with GFI LANguard and Microsoft WSUS

Patch management with GFI LANguard N.S.S. & Microsoft WSUS

Deploying GFI LANguard S.E.L.M.

Attachment spam the latest trend

Why Bayesian filtering is the most effective anti-spam technology

Installing GFI FAXmaker version 12

GFI FAXmaker for Exchange/SMTP 12: An introduction to the architecture and deployment options

GFI Product Comparison. GFI MailEssentials vs Barracuda Spam Firewall

How to keep spam off your network

GFI Product Comparison. GFI MailEssentials vs Symantec Mail Security for Microsoft Exchange 7.0

GFI Product Comparison. GFI MailEssentials vs. Trend Micro ScanMail Suite for Microsoft Exchange

GFI FAXmaker for Exchange/SMTP 12: An introduction to the architecture and deployment options

How To Use Network Integrated Faxing

GFI MailSecurity deployment strategies

GFI Product Manual. Administration and Configuration Manual

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

GFI Product Manual. Getting Started Guide

GFI White Paper: GFI FaxMaker and HIPAA compliance

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

GFI Product Manual. Administration and Configuration Manual

How to detect hackers on your web server

Stop Spam Now! By John Buckman. John Buckman is President of Lyris Technologies, Inc. and programming architect behind Lyris list server.

COMBATING SPAM. Best Practices OVERVIEW. White Paper. March 2007

No filter is perfect. But with your help, MailCleaner may aim at perfection. Case Description Solution

Solutions IT Ltd Virus and Antispam filtering solutions

AntiSpam. Administrator Guide and Spam Manager Deployment Guide

BACKSCATTER PROTECTION AGENT Version 1.1 documentation

GFI Product Manual. GFI MailEssentials Administrator Guide

Monitoring Microsoft Exchange to Improve Performance and Availability

Avira Managed Security AMES FAQ.

Why Content Filters Can t Eradicate spam

1 Introduction About this manual Terms and conventions used in this manual 12

1 Introduction About this manual Terms and conventions used in this manual 11

Administration and Configuration Manual

FortiMail Filtering Course 221-v2.0. Course Overview. Course Objectives

An Overview of Spam Blocking Techniques

Barracuda Spam Firewall Administrator s Guide

GFI MailEssentials 2014 Upgrade Guide A guide to upgrading from previous versions of GFI MailEssentials and GFI MailSecurity

Barracuda Spam Firewall User s Guide

Antispam Security Best Practices

GFI MailEssentials 11. Manual. By GFI Software Ltd.

Configuring Security for SMTP Traffic

Installing GFI MailArchiver

s and anti-spam Page 1

Spam DNA Filtering System

Analysis of Spam Filter Methods on SMTP Servers Category: Trends in Anti-Spam Development

GFI MailEssentials 2012 Upgrade Guide A guide to upgrading from previous versions of GFI MailEssentials and GFI MailSecurity Applies to GFI

Comprehensive Anti-Spam Service

Installing GFI MailEssentials

Advanced Settings. Help Documentation

How To Use Gfi Mailarchiver On A Pc Or Macbook With Gfi From A Windows 7.5 (Windows 7) On A Microsoft Mail Server On A Gfi Server On An Ipod Or Gfi.Org (

POP3 Connector for Exchange - Configuration

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Updating Your Skills from Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003 to Microsoft

Patch management with GFI LanGuard and Microsoft WSUS

Quick Start Guide for administrators

Guardian Digital Secure Mail Suite Quick Start Guide

Security. Help Documentation

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

security

1 Introduction About this manual Terms and conventions used in this manual 12

GFI Product Guide. GFI MailArchiver Archive Restrictions and Licensing Guide

Installing GFI MailEssentials

Exchange 2010 Journaling Guide

Trend Micro Hosted Security Stop Spam. Save Time.

Intercept Anti-Spam Quick Start Guide

Mailwall Remote Features Tour Datasheet

Installing GFI MailArchiver

Configuration Guide for Exchange 2003, 2007 and 2010

Eiteasy s Enterprise Filter

Installing GFI MailArchiver

ESET Mail Security 4. User Guide. for Microsoft Exchange Server. Microsoft Windows 2000 / 2003 / 2008

ContentCatcher. Voyant Strategies. Best Practice for Gateway Security and Enterprise-class Spam Filtering

eprism Security Suite

Gateways Using MDaemon 6.0

Marketing Glossary of Terms

Frequently Asked Questions

Internet Security [1] VU Engin Kirda

How To Set Up A Barcuda Server On A Pc Or Mac Or Mac (For Free) With A Webmail Server (For A Limited Time) With An Ipad Or Ipad (For An Ipa) With The Ip

Anti-SPAM Solutions as a Component of Digital Communications Management

Fastnet SA

Services Deployment. Administrator Guide

GFI MailEssentials Online Archive Configuration and usage

MDaemon configuration recommendations for dealing with spam related issues

Transcription:

How to block NDR spam Spam generates an enormous amount of traffic that is both time-consuming to handle and resource intensive. Apart from that, a large number of organizations have been victims of NDR spam that has an effect similar to a Distributed Denial of Service on the email system. In this paper we provide a technical explanation of NDR Spam and recommend solutions that can prevent or limit exposure to this kind of unsolicited email.

How to block NDR spam 2 What is a Non-Delivery Report? Email systems support a service called Delivery Status Notification or DSN 1 for short. This feature allows end users to be notified of successful or failed delivery of email messages. Examples include sending a report when email delivery has been delayed or when an email message has been successfully delivered. A non-delivery report or NDR is a DSN message sent by the email server (mail transfer agent or MTA for short) that informs the sender that the delivery of the email message failed. While there are various events that can trigger an NDR, the most common cases are when the recipient of the message does not exist or when the destination mailbox is full. A simple email message is typically made up of a set of headers and at least one body. An example of this can be seen in figure 1. In this example, the email is sent from user1@domain1.com to user2@domain2.com. If the domain name domain2.com does not exist or does not have an email server, then the MTA at domain1.com will send an NDR to user1@domain1.com 2. When the domain name exists and the MTA at domain2.com is accepting email, the behavior is different. In this case, the domain2.com email server should check if the destination mailbox exists and is accepting emails. If this is not the case, then the MTA should reject the email message. However, many mail servers will accept any email and then bounce the email later on if the destination address does not exist. From: <user1@domain1.com> To: <user2@domain2.com> Subject: Example Email Body Figure 1 Figure 2 describes a scenario where "user2@domain2.com" does not exist, but the mail server at domain2.com still accepts the email as it cannot verify if the mailbox exists or not. The server then sends an NDR message to user1@domain1.com which includes the original message attached. 1 The technical details for DSN can be found in RFC1891 2 As per RFC 2821, the sender address is taken from the SMTP MAIL FROM command

How to block NDR spam 3 Step 1 Step 2 Step 3 Step 4 Figure 2 How does NDR Spam work? The SMTP protocol does not support authentication of the sender address. As a result, email messages can claim to be coming from any valid email address. Spammers have long known about this and tend to make use of fake addresses when sending their bulk mail. Since successful spam relies on targeting the largest number of clients possible, spammers tend to have large lists of email addresses. Some of the email addresses in their list might not exist or

How to block NDR spam 4 have been disabled. In many of these cases, the mail server handling the nonexistent email address may send an NDR to the faked sender address in the original email. If this address belongs to a valid user then what happens is that this user ends up receiving the non-delivery reports. Since the emails sent out by the spammer tend to be in large numbers, thousands of NDRs may end up in the victim's mailbox. The resulting emails are known as NDR spam or backscatter and an example is illustrated in figure 3.

How to block NDR spam 5 Figure 3 Why does NDR spam work? Many mail servers are known to block email coming from non-existent domain names. Therefore spammers spoof email addresses which have valid working domain names to bypass this simple check. The result is that the victim MTA handling the email address that was faked by the spammers will receive a large number of NDR messages. These email messages can be difficult to block as it is not straightforward to distinguish between a legitimate NDR and one generated by spam. It is unlikely that the spammers make use of this method to guarantee the delivery of the spam message. This is especially true when the address being spammed with NDRs is receiving hundreds of emails in a short time. Apart from this, the presentation of the spam message is reduced since the message can be truncated or appear as an attachment. Therefore the message is less likely to be read. An example of an NDR spam email message can be seen in figure 4.

How to block NDR spam 6 Figure 4 How to reduce exposure to NDR spam If you are responsible for a network that is a victim of NDR spam or backscatter, there are only a few preventive measures that you can take. One of the more straightforward solutions is to turn off your catchall mailboxes 3. When this feature is disabled, unless the spammer spoofs your email address, your mail server will not be accepting non-delivery reports for email addresses which do not exist on your mail server. If on the other hand, you are responsible for an email server that is causing NDR spam, then it is recommended that you configure the mail server to reject during SMTP transmission rather than bounce email messages which cannot be delivered. Various email servers such as Microsoft Exchange, Postfix, Sendmail and Qmail have patches to improve the behavior to 3 Catchall mailboxes are email mailboxes that receive all email messages which do not have a named mailbox

How to block NDR spam 7 create less backscatter. One can find online resources which detail 4 how to configure these servers to prevent the NDR spam problem getting worse. A better solution The latest version of GFI s MailEssentials for Exchange and SMTP 5 allows automated blocking of NDR spam. This solution does not require any changes to be made on the mail server s side. GFI s MailEssentials scans NDR emails by making use of the existing Anti-spam features employed by MailEssentials, such as the Bayesian Filter, DNS Blacklists, Sender URI RealTime Blocklists and Keyword Checking. GFI MailEssentials will also make use of the Directory Harvesting feature 6 on the Gateway to drop email messages and NDRs sent to nonexistent users. If the NDR makes it past these protection mechanisms, then the email message is checked against the NewSender feature. This feature allows end users to receive only legitimate non-delivery reports, thus allowing them to focus on actual work rather than cleaning up the mailbox. About GFI GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology, an aggressive pricing strategy and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale. Founded in 1992, GFI has offices in Malta, London, Raleigh, Hong Kong and Adelaide which support more than 200,000 installations worldwide. GFI is a channel-focused company with over 10,000 partners throughout the world. GFI is also a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com. Appendix Keywords ndr spam backscatter dsn - delivery status notification collateral spam 4 Preventing Backscatter 5 How to check for NDR spam 6 Directory Harvesting

How to block NDR spam 8 2008 GFI Software. All rights reserved. The information contained in this document represents the current view of GFI on the issues discussed as of the date of publication. Because GFI must respond to changing market conditions, it should not be interpreted to be a commitment on the part of GFI, and GFI cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. GFI MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. GFI, GFI EndPointSecurity, GFI FAXmaker, GFI MailEssentials, GFI MailSecurity, GFI MailArchiver, GFI LANguard, GFI Network Server Monitor, GFI WebMonitor and their product logos are either registered trademarks or trademarks of GFI Software Ltd. in the United States and/or other countries. All product or company names mentioned herein may be the trademarks of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information