RE: Getting swamped with NDRs. How do I stop them?
- From: v-yanniw@xxxxxxxxxxxxxxxxxxxx ("Jenny wu [MSFT]")
- Date: Wed, 19 Apr 2006 06:40:55 GMT
Hi Tom,
Thanks for using the newsgroup.
From your description, I understand the issue to be: the mailboxes arestuffed with NDRs. If I am off base, please don't hesitate to let me know.
Based on my experience, this is most likely a new kind of spam attack which
is using non-delivery report (NDR), known as reverse NDR attack. The spam
senders randomly generate an email address recipient that does not exist in
your domain but does use your legitimate external domain name
@your_domain.com. When those messages with invalid recipients in the To box
are delivered to your Exchange server, postmaster@xxxxxxxxxxxxxxx will then
attempt to reply back to the sender saying that this mail cannot be
delivered.
I. To determine whether the messages are NDR messages, please use the
following steps:
1. Start the Exchange System Manager program.
2. Expand Servers, expand your Exchange server, and click Queues.
3. In the right pane, click a queue that contains many messages, click Find
messages, and then click Find Now.
4. View the Sender field of the returned items. If the sender of the
message is postmaster@xxxxxxxxxxxxxxx, the message is an NDR message.
Double-click the message to view the external recipient of this message.
II. Follow steps 3 through 4 to view the messages in other SMTP queues. If
most of the messages are from postmaster@xxxxxxxxxxxxxxx, you may be
experiencing a reverse NDR attack. In this situation, we can configure a
recipient filter to prevent this. Also, we can enable a sender filtering to
filter messages with a blank sender. To do this, please follow the steps
below:
1. Start the Exchange System Manager tool.
2. Expand Global Settings, right-click Message Delivery, and then click
Properties.
3. Click the Recipient Filtering tab, click to select the Filter recipients
who are not in the Directory check box, and then click OK.
4. When you receive the following message, click OK:
Connection, Recipient, and Sender Filtering must manually be enabled on
specific SMTP virtual server IP address assignments as they are not enabled
by default. For more information on how to enable any of the above
filtering types, read their associated help.
5. Expand Servers, expand your computer, expand Protocols, expand SMTP,
right-click Default SMTP Virtual Server, and then click Properties.
6. On the General tab, click Advanced.
7. Click Edit, click to select the Apply Recipient Filter check box, and
then click OK three times.
*Note: If you are running Exchange in a front-end/back-end environment,
recipient filtering must be enabled on the SMTP bridgehead server or
servers.
After you enable recipient filtering, a certain technique may be used
against your Exchange server to gather information about the valid e-mail
addresses in your organization. This technique is known as a Directory
Harvest Attack.
For additional information about how to help prevent this kind of attack,
click the following article number to view the article in the Microsoft
Knowledge Base:
842851 A security update is available to help prevent the enumeration of
Exchange Server 2003 e-mail addresses
http://support.microsoft.com/kb/842851/
III. You can refer to the following article to get detail steps to clean up
the Exchange queues.
886208 Exchange queues fill with many non-delivery reports from the
postmaster
http://support.microsoft.com/?id=886208
Also you can take a look at the following articles to get more information
about NDR spamer.
How to block open SMTP relaying and clean up Exchange Server SMTP queues in
Windows Small Business Server
http://support.microsoft.com/?id=324958
823866 How to configure connection filtering to use Realtime Block Lists
(RBLs)
http://support.microsoft.com/?id=823866
How to prevent unsolicited commercial e-mail in Exchange 2003
http://support.microsoft.com/?id=821746
Hope above information helps! I am happy to be of assistance to you and
look forward to your reply.
Have a nice day!
Sincerely,
Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thread-Topic: Getting swamped with NDRs. How do I stop them?malware
thread-index: AcZiv6HVI3/U+SJlTNetdjLEeiJbtg==
X-WBNR-Posting-Host: 81.139.239.235
From: =?Utf-8?B?VG9tIEN1dHRpbmc=?= <TomCutting@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: Getting swamped with NDRs. How do I stop them?
Date: Tue, 18 Apr 2006 01:11:02 -0700
Lines: 20
Message-ID: <1BD05491-F2BF-48DB-A202-8298A233CDA4@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.sbs
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:261153
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.sbs
Some idiot seems to have set up a spam engine sending out spam and/or
spoofing our domain.the
It was happening over the weekend when only the server was running, so I'm
confident that it isn't a compromised workstation here, and the messages
defineitely aren't passing through exchange on my SBS.
I assume that the spammer will shortly change the spoofed domain, but in
meantime I'm getting all the NDRs for the messages it is bouncing. Can Ido
anything to ditch these NDRs as it's swamping my mailbox.blacklist,
I'm also slightly concerned about our domain maybe ending up on a
though I assume blacklisting would be more likely on ip rather than domain
basis...
TIA
Tom.
.
- Prev by Date: RE: Small Business Server Monitoring Error 4353
- Next by Date: RE: Migration gone bad
- Previous by thread: sbs server - can we use it somehow on our network???
- Next by thread: RE: Migration gone bad
- Index(es):
Relevant Pages
|
