Friday, June 6, 2008

Non Delivery Report - NDR Spammer filter

Some spammers have been using a built-in feature of email to get around spam filters. This Outlook rule can help to filter them out.

Normally if you send mail to a person and it does not reach them you get a return notification message that your email did not get delivered. This type of email notification is called a Non Delivery Report or NDR for short. It is important that users get these NDR messages or else they assume that they have communicated information when in fact it never reached the intended person.

The problem now is that some spammers spoof the return mail address. You are probably being spoofed if you find that you are getting NDRs for messages that you never sent.

The spammer trick is to send the message to a known bad address on purpose so that it will bounce back to the spoofed return address (which is your address). Now you open the email to figure out what got return and... Congratulations you have just become the recipient of spam mail.

The problem is how to filter out fake NDRs and not the valid ones.

I found the following post that has helped to filter these out at least at the client:
Here is the text from the post:
===start copied text===
After some additional research and experimentation we think we've found an acceptable solution that relies on the following 3 premises,

1. Most NDRs can be filtered using a small set of subject phrases.
2. Most legitimate NDRs will reference the IP address or Postmaster account of our mailserver somewhere in the message header or body.
3. Spoof generated NDRs will reference the FQDN of our mailserver (as configured in the advanced Virtual SMTP properties) in the message header as the final recipient, but never the IP address or Postmaster account.

Using these premises we crafted a simple Outlook rule, exported it to a file and distributed it to our affected users along with import instructions. The rule runs server-side so once it's entered there's no further reliance on the Outlook client. We would have preferred a centralized solution but none of our current products gave us the level of filtering control found in the Outlook client rules. Here's an example of what we're using,

Apply this rule after the message arrives with 'undeliverable' or 'undelivered mail' or 'delivery failed' or 'delivery failure' or 'failure notice' or 'returned mail' or 'notification (failure)' in the subject move it to the Junk E-mail folder except if the body contains 'our mailserver IP address' or except if the message header contains 'our mailserver IP address' or 'postmaster@ourdomain'
===end copied text===

No comments: