[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 559
  • Last Modified:

preventing a DDOS attack using maillist

I have a mail list: mailist@domain.com (names are changed to protect the innocent)
maillist has seven user emails associated with it.

I believe that I am a victim of a DDOS attack.
Someone was sending out a massive email campaign using an aliased email account where the recipients believe it was from maillist@domain.com

When all of the receiving email domains sent back their non-response, no-user, or other denial for delivery, it all came back to the mail list address, which then duplicated across the seven emails.

Has anyone ever suffered this before?
How do you protect against this, when your server is not sending the outbound emails, and someone is masquerading their email as your own?

Evan Cutler
Evan Cutler
  • 2
2 Solutions
btanExec ConsultantCommented:
indeed sounds like the backscatter of the non delivery dos (mostly due to reply-to address is faked) - sort of incorrect automated bounce messages sent by mail servers, typically as a side effect of incoming spam. Such systems that generate email backscatter can end up being listed on various DNSBLs and be in violation of internet service providers' Terms of Service.
See http://en.wikipedia.org/wiki/Backscatter_(email)

Mail servers can handle undeliverable messages in three fundamentally different ways:

> Reject. A receiving server can reject the incoming email during the connection stage while the sending server is still connected. If a message is rejected at connect time with a 5xx error code then the sending server can report the problem to the real sender cleanly.

>Drop. A receiving server can initially accept the full message, but then determine that it is spam, and quarantine it - delivering to "Junk" or "Spam" folders from where it will eventually be deleted automatically. This is common behaviour, even though RFC 5321 says: "...silent dropping of messages should be considered only in those cases where there is very high confidence that the messages are seriously fraudulent or otherwise inappropriate..."

>Bounce. A receiving server can initially accept the full message, but then determine that it is spam or to a non-existent recipient, and generate a bounce message back to the supposed sender indicating that message delivery failed.
a good description and run through in this article on the use case (figure 1) similar to yours
In many of the NDN messages received, the authors found internal information of the organization's infrastructure which is valuable for an attacker to find specific vulnerabilities and to fine tune an attack
Measures are not silver bullet though
- Do not accept mail for invalid recipients
- Limit the maximum number of recipients
- Generate few error messages/small error messages

The current configuration and design processes of secondary or out-sourced SMTP mail services increase the number of viable domains that can be used as DoS agents. It is a simple process of abusing multiple SMTP services to cause a Distributed DoS (DDoS) that would increase the impact on the target. Given the possibilities with payload multiplication factors, should an organization host their main SMTP services in-house, network bandwidth saturation is also possible causing a DoS of all Internet connectivity.
MS exchange has some config for Recipient Filtering and SpamAssassin has Bounce Ruleset. There is quick sharing of CDN and filtering for DoS defence as well.
David Johnson, CD, MVPOwnerCommented:
all that you can do is ensure that your mx record is correct, you have an spf defined. if you want you can filter these messages and delete / move them so that the forum doesn't get overwhelmed.
btanExec ConsultantCommented:
The SMTP protocol does not support authentication of the sender address. As a result, email messages can claim to be coming from any valid email address. These email messages can be difficult to block as it is not straightforward to distinguish between a legitimate NDR and one generated by spam.

Others staretgy used for protecting SMTP include scans NDR emails by making use of the existing Anti-spam features, such as the Bayesian Filter, DNS Blacklists, Sender URI RealTime Blocklists and Keyword Checking. By the way, permanently disabling NDRs is generally not recommended.

For info, I understand that GFI MailEssentials, make use of the Directory Harvesting feature on the Gateway to drop email messages and NDRs sent to non-existent users.  If the NDR makes it past these protection mechanisms, then the email message is checked against the “NewSender” feature. This feature allows end users to receive only legitimate non-delivery reports, thus allowing them to focus on actual work rather than cleaning up the mailbox.

Other useful info
How to Report a DDoS Attack - http://blog.icann.org/2013/04/how-to-report-a-ddos-attack/
Email Bombing and Spamming - http://www.cert.org/historical/tech_tips/email_bombing_spamming.cfm
Evan CutlerAuthor Commented:
Thanks much.
This helps alot.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now