• Stefan Frei , Ivo Silvestri , Gunter Ollmann



Towards the end of 2002, the authors discovered that from time to time there were massive amounts of mail traffic destined for non existent e-mail accounts on our mail servers. This tremendous increase in traffic came without warning and lasted for one to several days, only to stop as suddenly as it started. Close examination of this traffic revealed that it consisted almost entirely of non-delivery notification (NDN) messages from any number of legitimate mail servers, mostly major Internet access providers and mail portals. The authors concluded that spammers had chosen to fake our mail domains within the reply-to addresses of the malicious spam they were sending. A large proportion of the mail accounts originally targeted by the spammers did not exist and therefore their authoritative mail servers generated NDN messages which were promptly sent to the also non existing accounts on our mail systems.

It is important to note that these spam e-mails were not directly targeted at ac- counts on our servers. Instead, the reply-to address of the offending spam-mails contained our some of our registered domain names. Therefore, only NDN messages were sent to our systems and not the original spam mail. A closer inspection of these NDN messages revealed interesting differences as to how mail-servers generate their responses. It was this analysis which instigated our research into the field of NDN attacks.

This paper analyses the methods utilized by common mail servers and gateways to generate of NDN messages and the implications for potential abuse. Through two related testing methods, experimental data is presented which was gathered from probing initially 8000+ random mail servers and then a representative sample of the Fortune 500 mail systems. This data confirms the high likelihood for future abuse and targeted denial of service (DoS) attacks against SMTP services.