Re: queues problem Please help ASAP

From: Rich Matheisen [MVP] (richnews_at_rmcons.com.NOSPAM.COM)
Date: 07/11/04 

Date: Sun, 11 Jul 2004 10:44:07 -0400

"Ramadan Al-Jallad" <ramadan19@hotmail.com> wrote:

                                        [ snip ]

>> Either you're being heavily spammed, you're being used in a "reverse
>> NDR" attack, or your server's an open SMTP relay.
>
>how can I know that by short way
>and How can I check the 2 possiblities

SPAM is usually directed at user names in your own address space. So
you'd see the "RCPT TO:" commands having your domain name in them.

The "reverse-NDR" is where the messages have "MAIL FROM" commands with
someone elses domain in them (which is perfectly normal) and an
obviously incorrect address in the "RCPT TO" command (the desired
result is, after all, to have the NDR delivered to the person in the
"MAIL FROM" address).

By not accepting messages to addresses that don't exist in your
organization, the reverse-NDR attack is pretty easy to control.

>> You can eliminate the NDR's from spam by configuring the Exchange
>> server to use the AD to verify the address on the inbound mail is
>> correct. If it isn't, the mail isn't accepted.
>
>can you please show me how to make that.

Check the "Recipient Fltering" tab on the "Message Delivery" object in
the "Global Settings" container. Make sure the box "Filter recipients
who are not in . . ." is checked.

>> If it's a reverse-NDR attack you'll have to block the IP addresses of
>> the originator.
>
>How to make that?

If the "MAIL FROM" contains a SMTP address, and not the null "<>"
address, the "Recipient Filtering" will help. If you're getting spam
in the form of NDR's then you'll have to block the IP address. But try
the recipient filtering first.

>
>
>
>> If you're an open SMTP relay, close the relay.
>
>How to make that?
>>
>> A final possibility is that you've assigned a weak password to a
>> common account (administrator, iusr_<servername>, webmaster, etc.) and
>> someone's cracked the password. It can also be one of your user's
>> accounts that compromised. If you don;t nned it, don't allow relaying
>> by authenticated clients.
>
>I don't think so because we made a complexity requirement for passwords.
>thak you very much
>Hope to reply.
>>
>> --
>> Rich Matheisen
>> MCSE+I, Exchange MVP
>> MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
> 

-- 
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm

Relevant Pages

  • Re: my exchange 2007 is spaming, spam sender is postmaster
    ... There is a good chance you are sending NDRs in response to incoming spam. ... Try enabling recipient filtering to block emails addressed to invalid ... You can only do this if Exchange is receiving internet email directly. ...
    (microsoft.public.exchange.admin)
  • Re: Spam in Mail Queue
    ... recipient filtering on the SMTP Virtual Server. ... Spam still sits there... ... If there is spam in the queue to be sent out but is not from or to my domain ...
    (microsoft.public.exchange.admin)
  • Re: Issue with Distribution Group
    ... Well, recipient filtering doesnt prevent SPAM, but does keep your ... server from generating NDRs sent to invalid recpients which is a good ... We do not have an Edge server so that is not an issue. ...
    (microsoft.public.exchange.admin)
  • Re: Trace source of spam on LAN
    ... If the spam has its own engine then it would not be going through ... data post on the network switch. ... recipient filtering and connection tarpitting. ... the firewall so that only the small business server can send SMTP ...
    (microsoft.public.windows.server.sbs)