Re: Reverse NDR SPAM attacks - nasty

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 01/02/05 

Date: Sat, 1 Jan 2005 21:54:20 -0500

John L wrote:
> Hi,
>
> I experienced my first one of these just before the holidays at a
> customer site running SBS 2000. The problem was discovered when the
> SMTP service kept halting and mail flow obviously stopped..
>
> Investigating the Mail folders I discovered a tonne of mail in the
> queue and badmail folders. Initially, my thoughts were its an open
> relay issue but after telnetting and running some tests I discovered
> this wasnt the case. The system had been locked to only allow
> anonymous access connections and could not relay, with this setting
> there is no way to authenticate and therefore allow relay.
>
> I turned up logging on the smtp connector and discovered lots
> connection (from loads of different IPs) attempts to non-existent
> smtp aliases, then opened up a few mails in the queues to discover
> that the attacker was using the NDR capabilty to send SPAM by
> spoofing the from address in the mail (the spoofed addresses where
> legit users in other domains).
>
> To combat the problem I needed a way to use recipent filtering with
> Exchange 2000 (as far as I know MS dont have this functionality
> available) or turn off NDRs (didnt like this option as much as legit
> users who mis-spell email addresses dont get notified).
>
> I downloaded and installed Mailguard from mapilabs.com as a free
> trial and was able to implement filtering, this stopped the
> generation of NDRs as the spammer just gets a 550 response from the
> server whenever a connection is attempted to a non-existing address..
>
> However, the SMTP stack kept failing due to the sheer volume of
> connection attempts, looking at the mailguard log I could see that
> the attack was coming from all over the net with literally hundreds
> of IP addresses being used and his/her script wasnt smart enough to
> realise that this Exchange server was no longer generating SPAM.
>

<snip>

> 4) Any third party products out there which you are using that work
> for Exchane 2000?

I like ORF (Open Relay Filter) from www.vamsoft.com - it does this and much
more. Easy to configure, customize. Will reject mail to addresses not in AD,
use RBL lookups, etc etc etc etc etc -

(etc)

>
> Cheers
>
> John

Relevant Pages

  • Re: better seize excuses now or Sayed will comparatively circulate them for you
    ... inside the atmosphere now, won't respect exports later. ... You won't entitle me functioning next to your ... John until his measure spreads exclusively. ... in connection with Wail's crown. ...
    (sci.crypt)
  • Re: Redundant ASP.NET SQL command executions.
    ... "John Walker" wrote in message ... > "Hermit Dave" wrote: ... >> the preferred approach is to open the connection, execute whatever needs ... >> be executed and closing the connection. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Delayed emails
    ... Well John, we're frighteningly in sync. ... I did just that, bypass the Symantec ... Exchange MVP 2007 ... to analyze why the SMTP connection is not being made? ...
    (microsoft.public.exchange2000.general)
  • Re: "This pretty much says it all"
    ... Well John, it usually isn't as involved as the McDonald's graphic ... on my Lenovo X, it is on the left side. ... go through the connection routine ... ... finally reach the 'Free WiFi' host's splash screen in IE to ...
    (comp.sys.mac.advocacy)
  • Re: VOIP Service
    ... So how many phones in your house have access to this service John? ... of our basement area, in my workroom and in all 4 bedrooms. ... it's own phone box connection. ...
    (rec.boats)