RE: Preventing reverse NDR attacks...
- From: v-chayan@xxxxxxxxxxxxxxxxxxxx ("Charles Yang [MSFT]")
- Date: Fri, 02 Dec 2005 05:15:57 GMT
HI Alex,
Thanks for using SBS newsgroup.
Issue description:
==============
I understand that you want to secure the Exchange server and avoid the NDR
attacks.
Analyzing and suggestion:
===============
Generally speaking, after Exchange SP1 we have a special design for
Exchange server to reduce the NDR attacks from the internet. Please refer
to my suggestion below:
The issue might be caused by some incoming emails outside try to search the
AD on SBS domain, so that they send spam emails, the Exchange will reply
with NDR to that user, if there are too many spam emails, the outgoing
queue will be full of the NDR messages, currently every kinds of email
server will encounter such problem, we could not stop the issue eventually
but we can delay the behavior, you can refer to my suggestions below, it
should be helpful to your issue.
Tarpitting is supported by a Windows Server, which is installed as part of
Win2K3 SP1. The tarpitting registry value (shown below) should be set to
TarpitTime=5. This will delay SMTP address verification responses for 5
seconds, as recommended by the Exchange team.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters
842851 SMTP tar pit feature for Microsoft Windows Server 2003
http://support.microsoft.com/?id=842851
The hotfix also include in SBS 2003 SP1, you can check the KB article above.
After changing the registry above, please also refer to my suggestion
below, I would like to give you some article that can help protect your
Exchange server beyond the spam emails.
If you just want to block the email from special senders, you can refer to
my suggestions below to check it:
1. Please check SMTP virtual server, right click it to choose properties.
2. In the access tab, then choose connection control, add the domain you
want to allow to access the SMTP virtual server
3. Please also check the properties of Message Deliver, you can also set
the rules there. ( You can check the message deliver properties by Opening
Exchange System Management->Global setting->Message deliver.)
We also have a good anti-spam free software called IMF, please refer the
information below:
Microsoft Exchange Intelligent Message Filter Deployment Guide
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy
mspx
If you installed ISA on your SBS 2003, I suggest you check if you have set
some restrictions on ISA SMTP filtering rules:
SMTP filtering functions
http://www.microsoft.com/resources/documentation/isa/2000/enterprise/proddoc
s/en-us/isadocs/cmt_smtpfilter.mspx
Thanks for your efforts in this issue, if you have any further concern,
please feel free to post back. I am glad to be of assistance.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Preventing reverse NDR attacks...
| thread-index: AcX2g7hhXVJ7r47fTrKAUE3PtDr1OA==
| X-WBNR-Posting-Host: 64.253.117.165
| From: =?Utf-8?B?YmFpcmRh?= <bairda@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: Preventing reverse NDR attacks...
| Date: Thu, 1 Dec 2005 06:30:04 -0800
| Lines: 11
| Message-ID: <3858D341-66DE-47DD-9E45-60997EA1C4CA@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:226993
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi! I have several SBS 2003 installs that have SMTP queues that are
filling
| up with ndr spam. I am pretty sure that it is an attempt to use reverse
NDR
| to create a relay. To solve this I am changing passwords on all
accounts.
| Would it also be prudent to shut SMTP off completely since my clients use
| Outlook and exchange exclusively? Would this affect OWA?
|
| I do have one client that needs POP. Besides telling them to use OWA
| exclusively, what would be the best way to secure the SMTP?
|
| Thanks,
| -Alex-
|
.
- Prev by Date: RE: Problem logging into console on SBS2003
- Next by Date: Re: Reconnect mailbox error
- Previous by thread: Netware migration to Win2003 SBS
- Next by thread: Re: Preventing reverse NDR attacks...
- Index(es):
Relevant Pages
|
