Suppress Inbound NDR's

The domain, nottherealname.com, is the victim of a reverse NDR attack.  Several users are being flooded with returned NDR for messages they have not sent and originated from an unrecognized IP address.  I am (trying to) maintain this Exchange 07, SP1 server.  It is hosted on a 64-Win2k3, SP3 enterprise server.  All exchange roles are on the same box.  Dual, quad core 2.3GHz, 8 gig ram and 300 gig of disk.  It's in an 03 AD, single domain, single forest.  The server is hosting mailboxes for 200 users.  The domain has a valid SPF record.  I have employed several Exchange anti-spam offerings including Sender Reputation, Sender Filtering, Recipient Filters and Content Filtering.

Sender Reputation block for 24 hours
Sender Filtering blocks blank senders
Recipient Filtering blocks recipients who are not in the GAL
Content Filtering deletes messages which have a SCL of 8 or higher.  message between 6 and 8 are quarantined.  I have also added common keywords usually associated with NDRs to the custom words such as 'undeliverable'

I suspect the filters are not working because NDR's are not recognized as standard messages and thus not scrutinized.

I created a Transport Rule which sets any message which contains the word 'Undeliverable' to an SCL of 9.  GFI Mail Essentials and Mail Securities is also being hosted on the box.  The configuration of each are too elaborate to summarize here but if requested, I can offer those details as well.  I have verified that GFI is not unintentionally whitelisting these same key words I am trying to deny.  GFI does not offer any option to filter or deny NDRs.  I have experience this issue before with another client.  GFI support was able to offer a registry change which would reclassify NDRs as standard messages which they could then be filtered.  I lost the notes on that.

Real.person@nottherealname.com has been substituted for the actual domain and user name as well as the server name, mail.nottherealname.com.  Anonymous relay, open relay is not enabled on the Hub Transport.  This is also supported by the fact that I cant find the original messages sent out of the exchange server and have verified with server online services, like Dnsstuff.com, that open relay is not on.

So what are my defense options.  I am even willing to consider disabling deliver notification for these users if need be.  A NDR sample is below.  More info can be provided upon request.

Thanks
DG




Diagnostic information for administrators:

Generating server: mx1.virtual-motive-division.com

comments@virtual-motive-division.com
#< #5.1.1> #SMTP#

Original message headers:

Return-Path: real.person@nottherealname.com  
X-Original-To: comments@virtual-motive-division.com
Received: from fester (host19-23-dynamic.5-87-r.retail.telecomitalia.it
 [87.5.23.19])      by dd6906.kasserver.com (Postfix) with ESMTP id CCDB4D3208      for
 <comments@virtual-motive-division.com>; Sun, 16 Mar 2008 11:33:27 +0100 (CET)
Received: from [87.5.23.19] by mail.nottherealdomain.com; , 16 Mar 2008 11:33:26 +0100
Date: Sun, 16 Mar 2008 11:33:26 +0100
From: EuroSoftware <real.person@nottherealname.com
X-Mailer: The Bat! (v3.81.14 Beta) Professional
Reply-To: <real.person@nottherealname.com >
X-Priority: 3 (Normal)
Message-ID: <070512223.72673470517751@nottherealname.com >
To: <comments@virtual-motive-division.com>
Subject: MS Office XP, MS Office 2007, Adobe Acrobat 8
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----------E5B67125425B6EC"
X-Antivirus: avast! (VPS 080314-0, 14/03/2008), Outbound message
X-Antivirus-Status: Clean
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.2 with clamdscan / ClamAV 0.91.1/6254/Sun Mar 16 09:27:35 2008
X-Antivirus: avast! (VPS 080316-0, 16.03.2008), Inbound message
X-Antivirus-Status: Clean