System Administator Undeliverable: : Microsoft, Exchange Server, 2003

May 17, 2008 08:52am pdt

1. Sembee 68,650
2. kieran_b 49,877
3. peakpeak 24,375
4. mass2612 23,650
5. Chris-Dent 21,300
6. war1 20,025
7. Richard_... 19,189
8. mattee76 15,800
9. Network_... 15,400
10. abhaigh 13,220
11. mihapi 12,845
12. Paka 12,421
13. LeeDerby... 12,050
14. tigermatt 11,900
15. isaman07 11,750

1. Sembee 341,527
2. kieran_b 49,877
3. war1 44,686
4. mass2612 36,650
5. Chris-Dent 33,362
6. darkstar3d 33,275
7. ATIG 32,075
8. peakpeak 29,775
9. tigermatt 29,300
10. rid 27,920
11. TechSoEasy 27,410
12. LeeDerby... 26,000
13. grblades 25,375
14. redseate... 23,509
15. Richard_... 19,189

04.15.2008 at 05:36AM PDT, ID: 23323451

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.0

System Administator Undeliverable:

Zones: Simple Mail Transfer Protocol (SMTP), Exchange Email Server, Email Servers

Tags: Microsoft, Exchange Server, 2003

For the past two weeks our email system has been overwhelmed by System Administrator Undeliverable messages. It seems like everyday another person gets hammered with a few hundred and then it moves on. I have a recipient filter set up, an SPF in my MX record, and we are not set up to be a relay. Complicated usernames are being replicated and this is my dilema, how would someone get these usernames to spoof emails to unsuspecting people? I know this is a problem that one answer can not fix, so I will divide points up to anyone who gives me something that I can implement on my system.

Start your free trial to view this solution

Question Stats

Zone: Networking

Question Asked By: chetweewax

Solution Provided By: _etoptas

Participating Experts: 3

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

04.15.2008 at 06:42AM PDT, ID: 21358581

_etoptas:

Try implementing Grey Listing, most spammers pc's tries sending email once and does not try for second time. What you can do with Grey Listing is to reject all incoming emails by default and only legitimite emails servers will try to send email to you. Emails will be acceptted on second try.
You can read more about it: http://www.greylisting.org/
and http://en.wikipedia.org/wiki/Greylisting

FM

04.15.2008 at 10:19AM PDT, ID: 21360638

Rank: Savant

Sembee:

Greylisting will not help unfortunately. These messages are coming from legitimate servers and therefore the messages will continue to be delivered.

Your domain is being used for spoofing and this question is being asked numerous times a day. Search the site and you will find the previous questions.

There is little that you can do. Your server has to accept NDRs that are being delivered to under the terms of the RFCs (the rules for SMTP). If you try to block them then you will get blacklisted yourself.

http://www.experts-exchange.com/Software/Internet_Email/Email/Anti_Spam/Q_23313652.html
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23320044.html
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23318724.html
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23313351.html

At some point in the past couple of days someone posted a rule that will delete the messages for to put in to Outlook, but I cannot find it.

Simon.

04.15.2008 at 10:34AM PDT, ID: 21360785

chetweewax:

Grey Listing sounds like a good idea in theory, but the fact that it slows down the delivery process so dramatically puts it at the bottom of the list of solutions. I realize spoofing is very common, and has happened in the past, but randomly. This time we are receiving the messages in large quantities to one person per day. It is almost like someone has our exact address book.

The rule in outlook is a good work around. Is there a way to do this universally for all users, instead of setting it up on individual machines.

04.15.2008 at 10:45AM PDT, ID: 21360894

Rank: Savant

Sembee:

I actually use greylisting as my primary antispam feature. I use Vamsoft ORF to do greylisting for me. It automatically white lists any email messages that are sent out. Most users will be emailing the same people all the time so the bulk of email comes in immediately. You can also adjust the white list centrally - so I have all Experts Exchange email on the white list. However if you cannot afford a five minute delay on email then it is not suitable. Most companies can, because if you are exchanging emails with some frequently they will be white listed anyway.

There is no way of doing a server side solution - the Outlook rule is client side.

If you did not have recipient filtering enabled, or you did but you didn't have tar pit enabled then someone may have carried out a directory harvest attack. However if a spammer has a list of your email address harvested from elsewhere then they could be using that as the from field.

Simon.

04.15.2008 at 11:01AM PDT, ID: 21361054

chetweewax:

Tarpitting is enabled on the exchange sever, but was not until last week when this problem became severe.

We are using GFI Mail Essentials 12, and i have browsed there website for grey listing and do not see any entries or software updates for it. Will the Vamsoft ORF work in conjunction with Mail Essentials.

04.15.2008 at 12:34PM PDT, ID: 21362039

_etoptas:

Greylisting solution will definately reduce the amount of spam coming in. I get number of these undeliverable messages by myself and having disabled grey listing for couple of day, I was able to see that most of those undeliverable emails were not coming from legit email servers. But as mentioed, if they are coming from legit mail server then there is not much you can do.

FM

Accepted Solution

04.15.2008 at 02:07PM PDT, ID: 21362882

Rank: Savant

Sembee:

It should work alongside Mail Essentials, but I will confess that I haven't tried the combination together. Since I have been using Vamsoft ORF I haven't needed any other antispam application.

Simon.

Assisted Solution

dstrzemienski

04.21.2008 at 08:29PM PDT, ID: 21407960

Sembee:

I think this is the Outlook rule you were referring to, found on forums.msexchange.org.

My apologies (and thanks!) to the original poster, EdwardLHall:

After some additional research and experimentation we think we've found an acceptable solution that relies on the following 3 premises,

1. Most NDRs can be filtered using a small set of subject phrases.

2. Most legitimate NDRs will reference the IP address or Postmaster account of our mailserver somewhere in the message header or body.

3. Spoof generated NDRs will reference the FQDN of our mailserver (as configured in the advanced Virtual SMTP properties) in the message header as the final recipient, but never the IP address or Postmaster account.

Using these premises we crafted a simple Outlook rule, exported it to a file and distributed it to our affected users along with import instructions. The rule runs server-side so once its entered theres no further reliance on the Outlook client.

We would have preferred a centralized solution but none of our current products gave us the level of filtering control found in the Outlook client rules.

Heres an example of what were using,

Apply this rule after the message arrives
with undeliverable or undelivered mail or delivery failed or delivery failure or failure notice or returned mail or notification (failure) in the subject
move it to the Junk E-mail folder
except if the body contains our mailserver IP address
or except if the message header contains our mailserver IP address or postmaster@ourdomain

We tested this on a set of 200 spoof generated NDRs and it was about 95% effective, we then sent 20 random test emails to the same addresses generating legitimate NDRs all of which passed the rule correctly.

Sembee

04.23.2008 at 03:46AM PDT, ID: 21419160

That looks like it.
I work so many forums that I forget where I have seen things.

Simon.

chetweewax

04.23.2008 at 06:04AM PDT, ID: 21420163

This rule is something I did create for my own email account, then exported it and sent it to all of the company employees and recommended they imort it if they are having the same problems.

Why is this not something that can implemented from the server for all users, and save us, the administrators all these headaches.

Sembee

04.23.2008 at 09:42AM PDT, ID: 21422679

Rules are client side in most cases because Outlook has to read the message. The closest you can get to server side rules is event sinks, but that will require some programming skills and may not detect everything.
Exchange 2007 introduces a rules system, but even that would struggle to pick up everything.

Simon.

20080236-EE-VQP-29 / EE_QW_2_20070628