Re: Receiving thousands of System Administrator messages in e-mail

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

"Jason" <Jason@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:41FC58BD-076E-4DFD-98F4-2D99C1467B98@xxxxxxxxxxxxxxxx
Brian this is showing the characteristics of open relay abuse / NDR
attack. I
say this becuase it happened to me not so long ago. The NDA's are a
common
sign of this.

From memory here is how it works:

Spammer sends 10,000 emails to a bad addresses at your company, i.e.
abcd@xxxxxxxxxxxxxxxx

Spammer configures the spam email to fool your exchange server into
thinking
the sender is joeblogs@xxxxxxxxx (joeblogs@xxxxxxxxx is actually the
intended
target of the spam). Your exchange server says "abcd is not a valid
address"
so sends the NDR to the sender which of course is actually the target
address
joeblogs@xxxxxxxxxx The NDR comes from you but ironically carries the
original spam message so the spammer gets his spam to joeblogs@xxxxxxxxx
by
tricking your exchange server. This I suspect is why you are seeing all
these NDR's.

Yes, I'm familiar with this. I think its generally known as a reverse-NDR
attack.

One of the normal symptoms of this are exchange delivery queues filled with
stuff to delivery. This in turn slows everything down because it clogs the
internet connection.

However, if the OP's server is being used to to deliver NDR spam then I
wouldn't expect him to see any non-delivery messages. If an NDR is NDR'd
(don't know if that happens but assuming it does) then ... ah, yes, I
suppose it would be delivered to "postmaster" which would then get a zillion
NDRs. Could be.

In addition to what I said above, I forgot to mention that you should also
rule out your clients. Again you should look in your exchange Q to see the
emails being generated. You can try to kill them but it will be like
emptying water from a sinking ship. YOu should actually be able to see
the
emails building in the Q.

Switch off each client indifidually and see if any of them are generating
the emails. Switch one off, check the Q, and do the same with all others.
Again this is somehting that happened to me and one of the clients was
running some kind of trojan that was acting as a mail server.

John, I think Jason is on to something with ruling out RNDR, open relay and
the possibility that one of the pcs on your network are compromised.
--
Brian Cryer
www.cryer.co.uk/brian



.

Relevant Pages

  • Re: Excessive DNS lookups.
    ... For this kind of Reverse NDR spam, your local Exchange server is not ... Microsoft is providing this information as a convenience to you. ...
    (microsoft.public.exchange2000.connectivity)
  • Re: Is my server hijacked or is it spammed
    ... About the memory: what bothers me is that I some times get error ... I have some strange emails queued on my exchange server and I can't ... doing some sort of spam attack. ... Yet, when I look at the smtp queue, I see a lot of emails pending. ...
    (microsoft.public.exchange.admin)
  • Re: GFI Mail Essentials
    ... Wow, Vamsoft is pretty nice. ... onto the Exchange server. ... > cracked our spam problems. ... >> five more emails, some in HTML, some in RTF, others in Text. ...
    (microsoft.public.exchange.admin)
  • Re: GFI Mail Essentials
    ... Wow, Vamsoft is pretty nice. ... onto the Exchange server. ... > cracked our spam problems. ... >> five more emails, some in HTML, some in RTF, others in Text. ...
    (microsoft.public.exchange2000.admin)
  • Re: How to handle SPAM?
    ... exchange server after properly filtering out the bad emails and only sending ... what is spam and what is not spam. ... spam999free@xxxxxxxxxx (remove 999 for proper email address) ...
    (microsoft.public.exchange.admin)