Re: Question on Recipient Filtering/Possible Harvest Attack

From: "Les Connor [SBS MVP]" <les.connor@xxxxxxxxxxxx>
Date: Fri, 21 Dec 2007 16:25:22 -0600

Hi Kieth,

Turning off NDRs isn't a good option - they serve a useful purpose. You just want to stop them from bieng misused.

What you don't want, is your server accepting messages for users who don't exist on your domain, and then having to turn around and inform the sending server of that fact. Not only does it waste server side resources, but the vast majority of the NDRs will never be able to be delivered because they're addressed to servers that have been 'spoofed' - they don't exist. This is what causes all the retry queues - your server is doing what it's supposed to do - let the sender know the email was not deliverable.

The best approach, IMHO, is to leave NDRs enabled; enable AD filtering; and enable tarpitting. Those are for starters.

You may also elect to take your anti-spam protection to a further level (which also takes a load of your anti-malware application) by using an RBL service (I'd recommend zen.spamhaus.org), as well as configuring IMF to reject high probability spams.

I believe you've already looked up AD filtering and tarpitting, RBL and IMF you should be able to find lots of info with a google groups search of this newsgroup :-).

--
Les Connor [SBS MVP]

"Keith" <Keith@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:B568A184-3446-40E6-82CD-0600572474FE@xxxxxxxxxxxxxxxx

Hello all,
I understand that If I apply a recipient filter in exchange, that I might
be subject to a Directory Harvest Attack. However, If I have turned off all
NDR's, is it safe to say that the attacker can no longer get a valid list of
my domain users?

Thanks you for all your help!

Prev by Date: Re: Router/Firewall Recommendation
Next by Date: Re: Question on Recipient Filtering/Possible Harvest Attack
Previous by thread: Re: Restoring SharePoint with sdsadm
Next by thread: Re: Question on Recipient Filtering/Possible Harvest Attack
Index(es):
- Date
- Thread

Relevant Pages

RE: sendmail blocking
... the administrator I don't receive any NDRs. ... >> mail server, and the external world that acts as a mail ... Since Nick has been receiving this junk email for a year now ... marketing mailing lists. ...
(RedHat)
Re: Spam attack
... No NDR is generated for an SMTP message denied with a 550 regardless of whether you've configured NDRs or not. ... Once enabled and properly added to the SMTP virtual server, exchange will now generate a 550 for invalid mailboxes instead of accepting and later sending an NDR. ... Somebody can connect and just start throwing addresses at your server and seeing which ones generate 550 or 250, thus eventually gathering legitimate emails. ...
(microsoft.public.windows.server.sbs)
RES: NDRs from spamming
... Since you will start sending out lots of NDRs to domains out there, ... your email server use to attach the original message (so message content ... By default, your mail server will issue a NDR for each NDR it receives, ... We are receiving lots of NDRs from hundreds of non-existent ...
(Incidents)
Re: blocking spam ndrs that arent sent by user
... Have you or anyone else out there had any success in setting up the Sender ID filtering? ... The NDRs themselves are perfectly genuine, they come from legitimate mail servers, they would all pass SPF tests. ... Invalid email recipients should be detected at the SMTP transaction stage, the sending server informed and the message refused. ... Backup MX hosts that don't perform recipient verification are high on the list as well as Qmail based MTAs which almost always accept mail before firing a backscatter NDR. ...
(microsoft.public.windows.server.sbs)
Re: Building a mail server
... qmail uses Maildir exclusively. ... vpopmail supports virtual domains and you can set catch-all accounts ... > filtering to happen on the server so it's already filtered no matter what MUA ...
(Debian-User)