preventing a DDOS attack using maillist

Posted on 2014-08-15
Last Modified: 2014-08-20
I have a mail list: (names are changed to protect the innocent)
maillist has seven user emails associated with it.

I believe that I am a victim of a DDOS attack.
Someone was sending out a massive email campaign using an aliased email account where the recipients believe it was from

When all of the receiving email domains sent back their non-response, no-user, or other denial for delivery, it all came back to the mail list address, which then duplicated across the seven emails.

Has anyone ever suffered this before?
How do you protect against this, when your server is not sending the outbound emails, and someone is masquerading their email as your own?

Question by:Evan Cutler
    LVL 60

    Accepted Solution

    indeed sounds like the backscatter of the non delivery dos (mostly due to reply-to address is faked) - sort of incorrect automated bounce messages sent by mail servers, typically as a side effect of incoming spam. Such systems that generate email backscatter can end up being listed on various DNSBLs and be in violation of internet service providers' Terms of Service.

    Mail servers can handle undeliverable messages in three fundamentally different ways:

    > Reject. A receiving server can reject the incoming email during the connection stage while the sending server is still connected. If a message is rejected at connect time with a 5xx error code then the sending server can report the problem to the real sender cleanly.

    >Drop. A receiving server can initially accept the full message, but then determine that it is spam, and quarantine it - delivering to "Junk" or "Spam" folders from where it will eventually be deleted automatically. This is common behaviour, even though RFC 5321 says: "...silent dropping of messages should be considered only in those cases where there is very high confidence that the messages are seriously fraudulent or otherwise inappropriate..."

    >Bounce. A receiving server can initially accept the full message, but then determine that it is spam or to a non-existent recipient, and generate a bounce message back to the supposed sender indicating that message delivery failed.
    a good description and run through in this article on the use case (figure 1) similar to yours
    In many of the NDN messages received, the authors found internal information of the organization's infrastructure which is valuable for an attacker to find specific vulnerabilities and to fine tune an attack
    Measures are not silver bullet though
    - Do not accept mail for invalid recipients
    - Limit the maximum number of recipients
    - Generate few error messages/small error messages

    The current configuration and design processes of secondary or out-sourced SMTP mail services increase the number of viable domains that can be used as DoS agents. It is a simple process of abusing multiple SMTP services to cause a Distributed DoS (DDoS) that would increase the impact on the target. Given the possibilities with payload multiplication factors, should an organization host their main SMTP services in-house, network bandwidth saturation is also possible causing a DoS of all Internet connectivity.
    MS exchange has some config for Recipient Filtering and SpamAssassin has Bounce Ruleset. There is quick sharing of CDN and filtering for DoS defence as well.
    LVL 77

    Expert Comment

    by:David Johnson, CD, MVP
    all that you can do is ensure that your mx record is correct, you have an spf defined. if you want you can filter these messages and delete / move them so that the forum doesn't get overwhelmed.
    LVL 60

    Assisted Solution

    The SMTP protocol does not support authentication of the sender address. As a result, email messages can claim to be coming from any valid email address. These email messages can be difficult to block as it is not straightforward to distinguish between a legitimate NDR and one generated by spam.

    Others staretgy used for protecting SMTP include scans NDR emails by making use of the existing Anti-spam features, such as the Bayesian Filter, DNS Blacklists, Sender URI RealTime Blocklists and Keyword Checking. By the way, permanently disabling NDRs is generally not recommended.

    For info, I understand that GFI MailEssentials, make use of the Directory Harvesting feature on the Gateway to drop email messages and NDRs sent to non-existent users.  If the NDR makes it past these protection mechanisms, then the email message is checked against the “NewSender” feature. This feature allows end users to receive only legitimate non-delivery reports, thus allowing them to focus on actual work rather than cleaning up the mailbox.

    Other useful info
    How to Report a DDoS Attack -
    Email Bombing and Spamming -
    LVL 9

    Author Closing Comment

    by:Evan Cutler
    Thanks much.
    This helps alot.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Suggested Solutions

    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now