Spam via SMTP Non-Delivery Reports

Jeff Atwood

Jeff Atwood

2 min read Comments

I have modest email needs, so I use the default SMTP and POP3 services in Windows Server 2003. Although I have email relay disabled, spammers are still managing to send spam through my SMTP service -- via non-delivery reports!

In other words, spammers are intentionally sending email messages to nonexistent email addresses on my domain. Here's a representative sniffer trace from earlier today: 

MAIL FROM:<lolando@glocos.com>
250 2.1.0 OK
RCPT TO:<uucp@codinghorror.com>
250 2.1.5 OK
354 Start mail input
DATA
(spam email body elided)
250 2.6.0  Queued mail for delivery


MAIL FROM:<meskes@getinthepicture.com>
250 2.1.0 OK
RCPT TO:<support@codinghorror.com>
250 2.1.5 OK
DATA
(spam email body elided)
250 2.6.0  Queued mail for delivery

This repeats dozens of times, with different from and to email address. The person in the "from" address will get a non-delivery report from my server that includes the original spam message as an attachment.

This is also known as a "Reverse NDR attack", because the non-delivery report goes to the recipient (eg, the victim) instead of the sender.

I've pored over the SMTP settings in Windows Server 2003 and I can't figure out a way to fix this. I did find this cool STMP tar pit feature which sounds appropriate -- but unfortunately, will have no effect in my case. As you can see from the above sniffer trace, the basic SMTP service is not smart enough to perfom "recipient filtering"-- to reject email for users that don't exist at the time of submission. The validation of the address occurs after the email delivery process begins, which is too late.

I thought about suppressing non-delivery reports entirely, but this breaks the email protocol:

Some of you might think it would be better to simply turn off recipient filtering, rely on your 3rd party antispam product, and suppress NDRs (as spammers typically use spoofed domains anyway). This is possible but unfortunately doing so breaks RFC 2821, which states that a NDR must be returned if an e-mail message for an invalid recipient is accepted. In addition it also means normal users that perhaps make a typo in an e-mail address will never receive an NDR informing them of the issue.

What I really need is some way to make the default SMTP service in Windows Server 2003 reject emails for invalid recipients prior to accepting the message. That, along with the built-in tarpit support, should break spammers.

I hate to buy a commercial mail server to replace the simple STMP and POP3 services provided with Windows Server 2003. But unless I can stem the tide of SMTP non-delivery report spam, I guess I'll have to.

Read more

Stay Gold, America

We are at an unprecedented point in American history, and I'm concerned we may lose sight of the American Dream.

By Jeff Atwood · · Comments

The Great Filter Comes For Us All

With a 13 billion year head start on evolution, why haven't any other forms of life in the universe contacted us by now? (Arrival is a fantastic movie. Watch it, but don't stop there - read the Story of Your Life novella it was based on

By Jeff Atwood · · Comments

I Fight For The Users

If you haven't been able to keep up with my blistering pace of one blog post per year, I don't blame you. There's a lot going on right now. It's a busy time. But let's pause and take a moment

By Jeff Atwood · · Comments

The 2030 Self-Driving Car Bet

It's my honor to announce that John Carmack and I have initiated a friendly bet of $10,000* to the 501(c)(3) charity of the winner’s choice: By January 1st, 2030, completely autonomous self-driving cars meeting SAE J3016 level 5 will be commercially available for passenger

By Jeff Atwood · · Comments