Re: Mail spoofing and unwanted/bogus NDR's

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: v-terliu@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
• Date: Wed, 16 Apr 2008 05:14:14 GMT

---

Hello Jim,

Thank you for posting here. Let's also thank others for the input.

According to your description, I understand that internal users get many
spam and NDR from external. If I have misunderstood the problem, please
don't hesitate to let me know.

Based on my research, this may cause the external spam sender know the
address of the users. I suggest we try the following steps to see if we can
resolve this issue:

Please try to change the SCL rating in the IMF to block the spam.

Configuring the Exchange Intelligent Message Filter
http://technet.microsoft.com/en-us/library/bb914061.aspx

Microsoft Exchange Server Intelligent Message Filter v2 Operations Guide
http://www.microsoft.com/downloads/details.aspx?FamilyId=B1218D8C-E8B3-48FB-
9208-6F75707870C2&displaylang=en

On Exchange server 2003, we have many antispam methods. Please refer to the
following document:
Exchange Server 2003 Anti-Spam Framework Overview
http://download.microsoft.com/download/0/E/6/0E6A7113-DDA4-4FD7-AABA-B9E2647
00225/Anti-Spam.doc

Or, you can buy and deploy 3rd-party anti-spam software for Exchange.

Additionally, the remote email server may get NDR attack.

In Exchange Server 2003 or in Exchange 2000 Server, the Exchange Server
queues are filled with many non-delivery reports from the postmaster
account because of a reverse non-delivery report attack
http://support.microsoft.com/?id=909005

I hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: jdr.smith@xxxxxxxxxx
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: Mail spoofing and unwanted/bogus NDR's
| Date: Tue, 15 Apr 2008 11:18:51 -0700 (PDT)
| Organization: http://groups.google.com
| Lines: 35
| Message-ID:
<a968b264-cb50-49db-b3e0-b2536adff125@xxxxxxxxxxxxxxxxxxxxxxxxxx>
| References:
<1006bb2f-f12a-4ad8-8004-b6d8c9c9495b@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <ev3ZKKnnIHA.1164@xxxxxxxxxxxxxxxxxxxx>
<A57FBDAB-479A-46A9-AE6D-7048CBD33489@xxxxxxxxxxxxx>
| NNTP-Posting-Host: 82.2.93.194
| Mime-Version: 1.0
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 7bit
| X-Trace: posting.google.com 1208283531 8854 127.0.0.1 (15 Apr 2008
18:18:51 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Tue, 15 Apr 2008 18:18:51 +0000 (UTC)
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: 1g2000prf.googlegroups.com; posting-host=82.2.93.194;
| posting-account=2sqbGwkAAADGsMDrUsyZqkPDeHz1hUBR
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;
SLCC1;
| .NET CLR 2.0.50727; .NET CLR 3.0.04506; InfoPath.2),gzip(gfe),gzip(gfe)
| Bytes: 2638
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
0.sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!nntp.giganews.co
m!postnews.google.com!1g2000prf.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:103222
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| On 15 Apr, 13:53, tatat <ta...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
| > How can it be effective?
| >
| > My basic understanding is that if original poster has created a SPF
record
| > and the "other peoples' servers" have configured Sender ID filtering
then the
| > sending/receipt of NDRs can be reduced greatly.
| >
| I've just taken a look at some of the e-mails myself, they are all
| predominantly of russian or eastern european origin, at least their
| subject line is. I think that if the orginal recipients had antispam
| protection then they wouldn not have received them in the first place.
|
| Then again what if a spammer setup a bogus mailserver and then sent
| millions of messages to it all with forged or spoofed e-mail addresses
| which then generates these NDR's..with todays technology available to
| them I can forsee all sorts of possible/ominous configurations.
|
| How can antispam software stop spam but not NDR's that contain spam
| like content..seems a little odd to me..
|
| Surely all spammers have to do is to just start mailing servers using
| real spoofed e-mail addresses which then generate NDR's which then
| bury the spoofed e-mail address owner with NDR's spam. Spammers
| message still gets through to someone.
|
| Wait a minute...this is exactly what is happening now !!!!
|
| Hmm..
|
| Jim.
|
|
| Hmm..
|
| Jim.
|

.

---

• Follow-Ups:
  • Re: Mail spoofing and unwanted/bogus NDR's
    • From: jdr . smith

• References:
  • Mail spoofing and unwanted/bogus NDR's
    • From: jdr . smith
  • Re: Mail spoofing and unwanted/bogus NDR's
    • From: jdr . smith

• Prev by Date: Re: Backup Failed
• Next by Date: RE: postfix as smarthost for Exchange 2003
• Previous by thread: Re: Mail spoofing and unwanted/bogus NDR's
• Next by thread: Re: Mail spoofing and unwanted/bogus NDR's
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Mail spoofing and unwanted/bogus NDRs ... this may cause the external spam sender know the ... On Exchange server 2003, ... This newsgroup only focuses on SBS technical issues. ... | millions of messages to it all with forged or spoofed e-mail addresses ... (microsoft.public.windows.server.sbs) MSF antispam info ... Spam and fraudulent e-mail messages are major issues for computer users ... Exchange Server, and Microsoft Exchange Hosted Filtering. ... and personalized spam protection while reducing false positives. ... (comp.mail.misc) Re: Suggestions / Gotchas - Linux as mail proxy to MS Exchange ... We need the Linux box to do the following: ... Filter spam with a reasonably good spam filter. ... > as possible spam but passed on to the exchange server. ... Filter e-mails with attachments. ... (alt.os.linux) RE: Lots of Events on MSExchangeTransport ... Thank you for posting to the SBS Newsgroup. ... 7010 is related to spam emails. ... Windows Authentication on the SMTP virtual servers on the Exchange Server. ... (microsoft.public.windows.server.sbs) Re: Receiving thousands of System Administrator messages in e-mail ... Spammer sends 10,000 emails to a bad addresses at your company, i.e. ... Spammer configures the spam email to fool your exchange server into ... so sends the NDR to the sender which of course is actually the target ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2008-04