Answer
What is an Reverse NDR Attack (RNDR)?
- The spammer creates and sends an email to a fictitious email address of your domain. They forge the sender email address in that way that the email appears to come from his intended spam target.
- Your email server cannot deliver the spam, because the email belongs to an unknown user. Hence it generates a non-delivery report (NDR) and it sends it back to the sender. However, since the spammer has forged the sender email address, the non-delivery notification is sent to the email address of another target.
- Since non-delivery notifications often include the contents of the original email, your server has now relayed spam on behalf of a spammer to an innocent victim.
How does this effect me?
Although you are not the intended target of the spam, this can have effects on your domain far worse than the spam email itself. The processing of the incoming messages and creation of the NDR's can cause significant strain on your mail server. Also, your domain could be identified as a spammer and added to one of the many real-time blackhole lists (RBL) subscribed to on the web. Getting yourself removed from these list is often a very difficult and time consuming process.
How can I prevent it?
Ensure that you have Directory Harvesting enabled and ensure it is processing in SMTP mode.
- Open the GFI MailEssentials configuration console.
- Navigate to Anti-Spam > Anti-Spam Filters > Directory Harvesting, click General Tab
- Ensure that the engine is enabled and the appropriate query method is selected for your environment.
- Use the Test button to run a query on both a real and a fake user to make sure that the directory is being properly referenced.
- Hit Apply, Okay, and then navigate to the Filter Priority node
- Select the SMTP Transmission Filtering tab on the top of the window.
- Locate Directory Harvesting select Switch so that it reads "Filtering during SMTP transmission" below and
- Hit APPLY to save settings.