[MAILSCANNER] Reverse NDR attack.How to combat ? Any ideas ?

Douglas Ward binaryflow at gmail.com
Wed Sep 21 13:20:32 IST 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

I am using a postfix/MailScanner combination on our e-mail gateways.  We
use the relay_domain and relay_recipient options to only allow mail
through if it is first a valid domain and second if it is a valid
recipient on the domain.  It is a bit of manual work to keep the
recipient list up to date but they tell me pretty quickly if I forget! 
:)  With this setup postfix automatically rejects the message.  I don't
see many NDR's in the queue waiting to be processed.  I figure its either
that I haven't been dictionary attacked yet or postfix is doing a good
job!

On 9/20/05, Venkata Achanta <vachanta at gmail.com> wrote:
      >Given the reality of the reverse NDR style of spamming it
      won't be long
      before
      >blind-queue servers are generally regarded in the same light
      as open
      relays and
      >smurf amplifiers. Do yourself a favor and start fixing the
      problem now
      before
      >popular consensus agrees that this is a bad thing and
      blacklists are set
      up for
      >"open NDR relays" which include your server.

      Thanks Matt.didnt make sense until it became a reality on my
      mail servers
      this week. I agree with you 100%.

      Now if i go the route of accepting e-mail for only valid
      users, how do i
      mitigate the risk of Directory Harvest attack on a setup like
      mine ?can you
      throw some light on it as well ?

      Thanks again.

      ------------------------ MailScanner list
      ------------------------
      To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
      'leave mailscanner' in the body of the email.
      Before posting, read the Wiki (http://wiki.mailscanner.info/)
      and
      the archives (
      http://www.jiscmail.ac.uk/lists/mailscanner.html).

      Support MailScanner development - buy the book off the
      website!



------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list