• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 485
  • Last Modified:

Queue has psotmaster@domain.com

Hi Experts,
I have noticed a lot of postmaster@domian.com NDR emails in our exchange 2003 SP2 Queue.

These emails all our from different .biz domains(Is .biz real?) I delete these emails from the Queue and select without NDR and they come back. WE have a spam filter outsourced that stops spam from entering our domain at least most of it.
Is this spam? a internal virus on a pc sending these out ? How are these emails generated internal or external?
Can't sem to permantly stop them
Here is an example
from the Queue i open the email and the from has
postmaster@domain.org
the recipient is
Envelope Recipients:
Envelope Recipients:
SMTP:henry@pradella.biz;
0
talltree
Asked:
talltree
  • 17
  • 12
  • 4
2 Solutions
 
amaheshwariCommented:

When you look at your outbound queues, who is the sender? If it is <>, or Administrator, it is usually NDR's your server is trying to deliver. If this is the case, then I'd recommend turning on recipient filtering so that mail will only be accepted for legitimate users. To filter recipients who are not in the directory, go to Global Settings, Message Delivery Properties, Recipient Filtering Tab. Check the box to filter recipients not in the directory. Next, go to the properties of your SMTP Virtual Server Under IP address, click on Advanced, then click Edit, then check the box to enable the recipient filter.
0
 
amaheshwariCommented:
The following article describes how to prevent exchange 2003 server from
accepting undeliverable email and therefore would reduce the amount of items
in your badmail folder.

http://support.microsoft.com/defaul...kb;en-us;823866

The following article disables Non Delivery Reports in Exchange 2000/2003
(NOTE
this will not prevent items from being accepted and moved to your Bad Mail
folder)

http://support.microsoft.com/defaul...kb;en-us;294757
0
 
amaheshwariCommented:
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
talltreeAuthor Commented:
hi amaheshwari
The sender is the postmaster.  Is .biz a legitmate domain suffix? So this is not Spam or a outbound virus. If it is our email server trying to deliver these emails where do these emails orginate from?
thanks
0
 
talltreeAuthor Commented:
Also how risky is a  Harvest Attack
0
 
SembeeCommented:
If it is postmaster@ then it is probably an NDR attack. That is where messages are sent to your server with an invalid user on purpose. The server then bounces back the message to the sender, except the sender is spoofed and is the actual target of the message.

The article above on my web site (amset.info) will help you clear the queues.

The quickest way to deal with this is to use recipient filtering, but it does put you at risk of a directory harvest attack. If you are on Windows 2003 SP1 on the Exchange server then you can use the tar pit to stop directory harvest attacks.

Directory harvest attacks are fairly common. It allows a spammer to discover what email addresses are valid on your domain. This makes their job much easier as they just target live addresses, and the addresses become more valuable because they are known to exist. The amount of spam that you receive will therefore increase, because the spammer is working to a known list.
Put it this way, if you are on Windows 2000 with Exchange 2003 then I don't recommend that you use recipient filtering.

Simon.
0
 
talltreeAuthor Commented:
Hi Seebee,
Great info thank you. We do have a spam filter inbound called Postini that should stop all inbound spam or the majority of it. So NDR's are not generated internally by a infected pc or server. What is gained by an NDR attack and also does the .biz suffix excist.
Thanks
0
 
SembeeCommented:
The .biz tld does exist. It isn't widely used by many legitimate companies - they prefer to have a .com or a country TLD (like .co.uk). This is the registrar for .biz: http://www.neulevel.biz/
Unfortunately spammers seem to be the highest users of the .biz TLD.

The gain from an NDR attack is that it has a very high chance of success.
If you are running Exchange 2000 or older, or Exchange 2003 on Windows 2000, then you don't have much defence from an NDR attack using built in tools. People will suggest disabling NDRs, but that doesn't fix the problem - it simply masks the symptoms. Plus NDRs have a legitimate use and I don't like to disable them under any circumstances.

Simon.
0
 
talltreeAuthor Commented:
hi Sembee,
Bottom line is i can not do anything with them except delete them from the Queue? What is the harm that is caused by the NDR attack, slows bandwith? Collecting data?? etc
Thanks
0
 
SembeeCommented:
You wait for the NDR messages to time out. They will do that eventually.
What you are seeing though are the messages that have failed to deliver. There will be messages that have successfully delivered using that method.
You could get blacklisted.

Plus do you want to be seen tolerating spammers sending messages through your server? Taking your bandwidth?

Simon.
0
 
talltreeAuthor Commented:
So wait until they time out Do not delete them? There wiil be messages that have successfully delivered using what method? Deleting them? We could get blacklisted by delteing them?? Sorry Simon I am not following your advice what should be done? If anything can be done?
0
 
SembeeCommented:
Have you read my web page shown above?

The NDR messages will clear themselves. However if the attack is ongoing, then you will never see the queue clear.

Doing nothing isn't really an option.

The reason you have messages sitting in the queues is because they have failed to be delivered - usually because the receiving server is not allowing the message to be delivered.

Simon.
0
 
talltreeAuthor Commented:
Yes Thank you we are not relaying that i can tell we only allow computers on the list below and we enter the servers that have rights to relay. I turned on the excahnge trasport and will check the event logs to see if an authoricated user is relaying.
0
 
SembeeCommented:
It will not be an authenticated user relaying.

NDR relay doesn't require a compromised account. It is taking advantage of what all SMTP servers will do - and that is return the message to the sender.

Simon.
0
 
talltreeAuthor Commented:
Simon, why wouldn't our Postini spam filter dtop these (inbound)?
0
 
SembeeCommented:
They didn't come in through your Postini service. They came straight to the SMTP Server. The spammer doesn't use your MX records, they just scan a range of IP addresses looking for SMTP servers to bounce the messages off.
I believe that Postini recommend that restrictions are placed on the SMTP virtual server, to control who can connect to it. Have you made those restriction changes?

Simon.
0
 
talltreeAuthor Commented:
hi Simon,
Now the picture is clearing up I could not get my the emails are coming in because all our MX record point to Postiin.
So if i only allow Postini's IP range in the SMTP virtual server Access-Connection Control it should stop the NDR messages?
0
 
talltreeAuthor Commented:
One more thing Simon i do know we only allow tthe Postini IP range into our firewall SMTP port 25 wonder how it gets around the firewall
0
 
SembeeCommented:
Are you sure about that?
Have you actually tested that from outside?

Do a telnet test from a machine outside your network: http://www.amset.info/exchange/telnet-test.asp

Simon.
0
 
talltreeAuthor Commented:
Telnet is blocked also i  had tried that one another time using your document wanting to  test for the relay and could not establish an telnet session. I did enter the IP range into the exchange server itself this afternoon and will see if it stops them. The excisting ones in the Queue i will wait for them to time out correct?
0
 
SembeeCommented:
You either need to wait for the timeout, or use the technique to clear the queues that is outlined in my article.

Simon.
0
 
talltreeAuthor Commented:
Hi simon Cleared them out last night this morning i have some again ame address
I entered in the excahnge server to only allow the Postini IP range maybe i sshould try clearing the queue again?
0
 
SembeeCommented:
The queue can take three or four attempts to clear. ESM is notorious for not showing the true extent of the queued messages when they have been hit with a large number of messages in one go.

Did you restart the SMTP service after making the restriction changes? If the spammer has maintained a connection then the messages could continue to flow in. You need to restart the service so that any inbound connections are cut.

Simon.
0
 
talltreeAuthor Commented:
hi Simon,
Yes i did thanks but they are back today. We are sniffing/mirroring the port of the exchange server today with ethereal. Should we be able to see these emails(NRR) from the postmaster to the spammers or see where they are generated from internal or external.
Thanks for all your help
0
 
SembeeCommented:
Have you turned on the filtering unknown users? That kills these sorts of attacks stone dead. If you are running Exchange 2003 on Windows 2000, then you should use something else to do recipient filtering. I have recently been playing with ORF from Vamsoft which looks very nice.

Simon.
0
 
talltreeAuthor Commented:
Hi Simon Yes we have exchange 2003 and windows 2000 so i did not turn on the recpient filtering. Do you know id i will  be able to view these emails with a sniffer??
0
 
SembeeCommented:
You can't.
The messages will be coming as a normal messages.
The outbound messages will be stuck.

If you think you are still under attack, get hold of the eval version of an antispam tool and put it on the server. That will let you deal with the initial flood. If it then proves its worth, buy the application. I think ORF is less than $200 per server.

Simon.
0
 
talltreeAuthor Commented:
If they come in as normal messages shouldn't i be able to view in the sniffer who it is from?
 example the .biz emails i see in the outbound queue?
0
 
SembeeCommented:
I don't see how sniffing the message traffic is going to help.
Every message will have a different "from" address on it, as they are spoofed. Your best chance will be to spot the IP address that they are coming in from. Trying to use the email address is a moving target. Remember - what you are seeing in the queues are the messages that have failed to bounce. Messages that were successful (is the target is correct) will have already gone.

Simon.
0
 
talltreeAuthor Commented:
Hi Simon,
We actually added an SMTP PROXY Service to the firewall that has helped quite down the NDR Messages.
Thanks you and amaheshwari for all the help i will distribute the points.
amaheshwari 175
Seebee          325
0
 
amaheshwariCommented:
Sorry to say i have not recieved any points.

But anyway .It is good to see that ur problem is sorted out.

Thanks.
0
 
talltreeAuthor Commented:
hi amaheshwari,
Sorry how do i give you the points can i reopen the case?
0
 
talltreeAuthor Commented:
Thanks guys but the emails have returned
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 17
  • 12
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now