How does a "Reverse NDR" attack work?

Lately I have been repeatedly asked on the subjected and I thought of posting it hear for greater consumption, in an event your Exchange Server is attacked, the following happens:

Step 1 - Spam email is created with the intended spam victim's address in the sender field and a random, fictitious recipient, at your domain, in the To: field.

Step 2 - Your mail server cannot deliver the message and sends an NDR email back to what appears to be the sender of the original message, the spam victim.

Step 3 - The return email carries the non-delivery report and possibly the original spam message. Thinking it is email they sent, the spam victim reads the NDR and the included spam.


For more info, see the following link:


We may check the Internet Headers of the NDR in problem. To do so, use the following steps:

1. Launch Outlook, open the NDR message.

2. Click View menu, and point to Option.

3. Check the Internet headers to see where the message sent.


If your local Exchange server is not involved in sending the original message, we can confirm this is a spam e-mail and the spam sender embezzles your user's e-mail address to send spam e-mails from their own mail server which doesn't require authentication.


Currently there still isn't any effective solution to fight with reverse NDR attack. But a good news is that there is a new standard called SPF released now and it works like PTR record and may prevent spammers from sending e-mails by using other users. Although it's not widely used over the Internet, it at lease represent a good trend. For more info, you may check the Web site below:


However one can take following actions to guard the spam on the Exchange server:


1. Use the Recipient Filtering to filter the invalid recipients. See the following article for details:

823866 How to configure connection filtering to use Real-time Block Lists (RBLs)


2. Use content base filter, such as IMF.


870823 The Microsoft Exchange Intelligent Message Filter Deployment Guide

Hope this helps!

Fareed Mohammed Khan

Comments (0)

Skip to main content