Exchange 2003 with SP2 reverse NDR attack

Posted on 2006-05-25
Last Modified: 2012-06-21
We are being attacked by someone exploiting the reverse NDR issue in exchange 2003. I have followed all the instructions at;EN-US;886208, but exchange still sends out NDR's for email addresses that are not valid in the domain.

I have checked and tripple checked the settings and they are correct as according to the KB article. Is there something else that could be causing this.

The server is an SBS 2003 machine with all the latest service packs installed. There are no ports open on the firewall/router and exchange is configured to pop email from a catch all account.

Question by:Snaggle
    LVL 31

    Expert Comment

    You can turn off NDRs by opening the properties of your default Internet Message Format in ESM.  It's on the Advanced tab.  NDRs are an important part of email messaging, though, and turning them off should only really be a temporary measure.

    Also, have a look at your Message Delivery properties on the Recipient Filtering tab, make sure the 'Filter recipients who ...' checkbox is selected.
    LVL 7

    Expert Comment

    Don't allow the mail to come inside your exchange if there is no such recepient in your directory. Use filter based on recepient as suggested by Leederbyshire.
    I just want to give you the link so that iot would be easier for you.

    Let us know if it helped... :)  

    I hate spams!!!!

    LVL 104

    Accepted Solution

    If you are using recipient filtering, then you also need to enable tarpit. (
    Make sure that you have enabled recipient filtering on the SMTP virtual server as well.

    However, ESM is notorious for not showing the true extent of the queues when attacks like this are under way. The situation could be that the measures you have taken have dealt with the problem, but the queues are taking their time to flush.

    My spam cleanup article can help with cleaning the queues:


    Author Comment

    I have enabled the tarpit option as you suggested and that seems to have fixed the problem. Our ISP has re-enabled our account and the problem has gone away.


    Expert Comment

    I also under ndr attack, have done all suggestions and still getting ndrs. What to do!!!!
    LVL 104

    Expert Comment

    Not posting in a question that is over two years old would be a good start.
    It isn't possible to bump question, so no one else will see the question other than those who have already posted to the question. Therefore I suggest that you ask your question fresh, which will allow active experts to see it.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Create high volume marketing opportunities using email signatures with these top 10 DOs and DON'Ts of email signature marketing.
    Easy CSR creation in Exchange 2007,2010 and 2013
    In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now