Re: Malware infection signs

Common problem with Exchange, easy fix, no need to disconnect.

http://support.microsoft.com/kb/909005/en-us

Be sure to follow ALL the links and turn on tarpitting, etc.

Gregg Hill



"Bitbob" <Bitbob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:94E995C5-EF58-4548-90E2-7BF1E83E8E3F@xxxxxxxxxxxxxxxx
After a lot of research I am startying to think that this might be an
external spam attack using their NDR mechanism to bounce spam to the
intended
victim.See Brelsford's Advanced book pg 6-129 for a desciption of the
attack.
My question is how do I determine whether it is an external attack or
internal attack if the Client will not allow me to diconnect for any
length
of time. The E-mail in this type of attack will not register as recieved
by
any entity inside the perimeter so I can't tell if it originating from
outside or inside. The postmaster is still sending E-mail but as I have
shut
down NDR it only go to the Exchange sorter and stops there. So it is not
being delivered. I don't know the NDR mechanism well enough to tell if the
persistant postmaster mailings indicate internal sources or are just the
normal NDR denial mechanism? Has anyone seen this attack and is there a
way
to determine whether the source is intrnal or external??? Thanks for the
input


"Lanwench [MVP - Exchange]" wrote:

Bitbob <Bitbob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
My Client noticed that things were slowing down on his client
computers so I checked his reports for anomolies. I found that the
administrator was sending out E-mail as postmaster at the rate of
about 2 per minute--continuously. The addresses on the mail
recipients were not known to the client in a random sampling. Is
there any way to cut off the administrator from exchange priveleges,
or in this case the postmaster which is the name that appears as the
sender on all the administrators E-mail? Help appreciated....

Hold up a minute. What makes you so sure these aren't NDRs being sent out
to
(probably nonexistent) addresses, due to inbound spam that couldn't be
delivered?





.

Relevant Pages

  • Re: Exchange Queues (SBS2003)
    ... Exchange mailboxes are receiving NDR's for mail that they did not send. ... > In the NDR we can see the IP address of the server that originally sent the ... It is not their Exchange server, and in fact the IP address changes ... > spoofing legitimate email addresses from the customer's domain in SPAM mail. ...
    (microsoft.public.windows.server.sbs)
  • Re: NDRs
    ... sender just flood the spam to random recipients. ... This is what is called a "Reverse NDR attack". ... If you are experiencing any of the above, chances are good your mail server ...
    (microsoft.public.windows.server.sbs)
  • Re: Undeliveable Mail showing up from my domain postmaster (exchange 2
    ... sender just flood the spam to random recipients. ... This is what is called a "Reverse NDR attack". ...
    (microsoft.public.windows.server.sbs)
  • Re: Undeliveable Mail showing up from my domain postmaster (exchan
    ... > sender just flood the spam to random recipients. ... This is what is called a "Reverse NDR attack". ... > If you are experiencing any of the above, chances are good your mail server ...
    (microsoft.public.windows.server.sbs)
  • Re: NDRs for internal clients only?
    ... "attacked" and their Exchange server was endlessly sending ndr's to bad ... > Reverse NDR attacks, using your email server as an unsuspecting relay, ... > though you've configured all the proper security measures on Exchange. ... > mis-addressed spam. ...
    (microsoft.public.windows.server.sbs)