Coding Horror

programming and human factors

Spam via SMTP Non-Delivery Reports

I have modest email needs, so I use the default SMTP and POP3 services in Windows Server 2003. Although I have email relay disabled, spammers are still managing to send spam through my SMTP service -- via non-delivery reports!

In other words, spammers are intentionally sending email messages to nonexistent email addresses on my domain. Here's a representative sniffer trace from earlier today:

MAIL FROM:<lolando@glocos.com>
250 2.1.0 OK
RCPT TO:<uucp@codinghorror.com>
250 2.1.5 OK
354 Start mail input
DATA
(spam email body elided)
250 2.6.0  Queued mail for delivery

MAIL FROM:<meskes@getinthepicture.com> 250 2.1.0 OK RCPT TO:<support@codinghorror.com> 250 2.1.5 OK DATA (spam email body elided) 250 2.6.0 Queued mail for delivery

This repeats dozens of times, with different from and to email address. The person in the "from" address will get a non-delivery report from my server that includes the original spam message as an attachment.

This is also known as a "Reverse NDR attack", because the non-delivery report goes to the recipient (eg, the victim) instead of the sender.

I've pored over the SMTP settings in Windows Server 2003 and I can't figure out a way to fix this. I did find this cool STMP tar pit feature which sounds appropriate -- but unfortunately, will have no effect in my case. As you can see from the above sniffer trace, the basic SMTP service is not smart enough to perfom "recipient filtering"-- to reject email for users that don't exist at the time of submission. The validation of the address occurs after the email delivery process begins, which is too late.

I thought about suppressing non-delivery reports entirely, but this breaks the email protocol:

Some of you might think it would be better to simply turn off recipient filtering, rely on your 3rd party antispam product, and suppress NDRs (as spammers typically use spoofed domains anyway). This is possible but unfortunately doing so breaks RFC 2821, which states that a NDR must be returned if an e-mail message for an invalid recipient is accepted. In addition it also means normal users that perhaps make a typo in an e-mail address will never receive an NDR informing them of the issue.

What I really need is some way to make the default SMTP service in Windows Server 2003 reject emails for invalid recipients prior to accepting the message. That, along with the built-in tarpit support, should break spammers.

I hate to buy a commercial mail server to replace the simple STMP and POP3 services provided with Windows Server 2003. But unless I can stem the tide of SMTP non-delivery report spam, I guess I'll have to.

Written by Jeff Atwood

Indoor enthusiast. Co-founder of Stack Overflow and Discourse. Disclaimer: I have no idea what I'm talking about. Find me here: https://infosec.exchange/@codinghorror