Sending False NDRs
Some antispam applications can actually produce false NDRs, which can be
used to defend an organization against
an onslaught of spam. The antispam
application contains all the typical filters (e.g., keyword, blacklist, Bayesian).
When one of the filters detects a spam
message, the antispam application
returns a phony NDR to the spammer.
The idea is to make the spammer
think that the address is no longer
valid and stop sending spam to it.
Sending false NDRs consumes a lot
of resources. Also, because the messages used in DHAs are usually either
empty or contain only one word,
some antispam applications have
trouble identifying these messages as
spam. Besides, unless a message contains a valid email address for the
sender, a reply is futile.
Atypical Address Formats
Another way to counter DHAs is to use
atypical email address formats. For
example, I've seen companies that
include the year an employee was born
as part of the employee's email address:
If John Smith was born in 1973, he
might be assigned an email address
such as jsmith73@contoso.com.
The logic behind this technique is
that if spammers are using lists of
names to launch attacks, no combination from the lists will produce a
valid email address. However, email
addresses that include numbers tend
to be more difficult to remember,
which can make it tough for legitimate senders to communicate with
employees at your company unless
they have the recipient's email
address stored in an address book.
Also, this technique works against only
those spammers who use list-based
attacks; a brute-force attack will yield valid email addresses regardless of
their format.
Recipient Filtering
One last technique I'll discuss is
recipient filtering. Recipient filtering
takes place during the early phases of
the SMTP conversation, which means
that a message can be rejected before
the message body is sent to the server.
The benefit is that you conserve
resources because the server isn't
downloading the message body for
rejected messages.
The problem with recipient filtering, though, is that when used by
itself it can actually make a DHA
more efficient and more successful.
Remember that the key to a successful DHA is that the spammer
must be able to match NDRs to the
messages that were sent out. It takes
time for an Exchange server to process a message, then generate and
transmit an NDR.
Because recipient filtering works at
the SMTP level, the entire process of
receiving a message and generating
an NDR is eliminated. The server simply won't accept a message for which
the recipient doesn't exist. The spammer receives an SMTP-level message
indicating that the message was
rejected and therefore finds out much
more quickly whether or not an email
address is invalid. Fortunately, there is
a countermeasure known as tar pitting, which involves throttling the
bounce messages in a way that makes
them impractical for a spammer to
use. I discuss this technique in more
detail in the next section.
As if helping spammers be more
efficient weren't enough, using recipient filtering encourages spammers to
use domain-name spoofing. If the
spammer depends on receiving
NDRs, in most cases the spammer will
have to use a legitimate domain name
so that the NDR can find its way back
to the spammer. With recipient filtering, though, the rejection process
occurs at the SMTP level. Spammers can hide behind a spoofed domain
name and still get the information
they need.
Tar Pitting
Because recipient filtering works at
the SMTP level, Windows, not
Exchange Server, actually directs the
process of accepting or rejecting
messages. Tar pitting is a technique
that Microsoft included with the
release of Windows Server 2003 Service Pack 1 (SP1). Tar pitting can slow
down recipient filtering to the point
that DHAs become impractical. Keep
in mind that the spammer has thousands of email addresses to test
against your mail server, which takes
a lot of time. Imagine how much
longer this process would take if you
could insert a 10-second delay into
the approval process for each
message. That's exactly what tar pitting does: It lets you insert a delay
before responding to invalid email
addresses.
Before I explain how to enable tar
pitting, I need to warn you about two
things. First, by enabling tar pitting,
you might end up slowing down legitimate email. It's therefore important
to monitor your server's response
time after tar pitting is enabled. Second, enabling tar pitting requires
editing the registry, which can be
dangerous. Making an incorrect modification can damage Windows and
your applications. I therefore recommend creating a full system backup
before continuing.
To enable tar pitting, open the registry editor (regedit.exe) and navigate
to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters subkey. Next,
right-click the Parameters container
and select New, DWORD Value from
the shortcut menu. Enter TarpitTime
as the name for the new registry entry.
Double-click the entry you just created and set the value data to the
number of seconds you want the
SMTP address-verification process to be delayed. Five to 10 seconds is usually sufficient. Now just click OK, close
the registry editor, and restart the
SMTP service.
Fight Spammers
As you can see, DHAs can be an especially problematic spamming technique. But now you know several ways to mitigate the effects of such attacks.
In order to reduce the effectiveness
and impact of DHAs, I recommend
taking advantage of recipient filtering
and tar pitting. Using blacklist filters is
also a good idea because they can
deny a connection outright. Disabling
delivery receipts and NDRs might also
be effective countermeasures, but you need to consider the effect of such
actions before doing so.