What is a Reverse NDR Attack

The non-delivery report (NDR) is generated when an email message is not able to be sent to the next hop.

Spammers can use NDR as a method to generate spam towards victims by using the victim's email address as the sender. This is called a reverse NDR Attack.

Consider the following scenario:

  • Bob (the victim), has an email address bob@Victim.com.
  • You run an email server that accepts messages for @yourDomain.com. In addition, it accepts messages for valid as well as invalid users.
  • Jim (the attacker), wants to send a spam message to Bob. However, instead of sending it directly to Bob, he sends it through your email server. He does this to prevent his IP address from getting black listed.
  • Jim's composes an email with the following values for Sender and Recipient:
    From: Bob@Victim.com
    To: invalid@yourDomain.com
    
Since invalid@yourDomain.com does not exist, your email server will generate an NDR. However, that NDR will get sent to Bob instead of Jim, because Jim forged the sender to be Bob instead of Jim.
Refer to the diagram below for more information:

Preventing such attacks in Xeams

There are two features in Xeams that will help against a reverse NDR attack.
  • Configure Xeams to reject invalid users. This is done by specifying a valid list of users or integrating with Active Directory.
  • Configure how NDRs are generated.
    Configuring NDRs
    After logging in as admin, go to Smtp Server Configuration and select the Advanced Tab. Following bullets describe two important configuration parameters.

    Include Original:
    This option configures whether to attach the original email message in the NDR. By default, this option is disabled. It is highly recommend to leave this option disabled to prevent spammed messages.

    Generate NDRs only for outbound emails:
    This option only allows NDRs to be generated for outbound emails. This prevents the reverse NDR attack where someone uses your email server to bounce back spam messages.



Created on: 5/18/16 10:11 AM
Last updated on: 5/18/16 10:14 AM