• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3980
  • Last Modified:

Exchange 2003 with SP2 reverse NDR attack

We are being attacked by someone exploiting the reverse NDR issue in exchange 2003. I have followed all the instructions at http://support.microsoft.com/default.aspx?scid=kb;EN-US;886208, but exchange still sends out NDR's for email addresses that are not valid in the domain.

I have checked and tripple checked the settings and they are correct as according to the KB article. Is there something else that could be causing this.

The server is an SBS 2003 machine with all the latest service packs installed. There are no ports open on the firewall/router and exchange is configured to pop email from a catch all account.

1 Solution
You can turn off NDRs by opening the properties of your default Internet Message Format in ESM.  It's on the Advanced tab.  NDRs are an important part of email messaging, though, and turning them off should only really be a temporary measure.

Also, have a look at your Message Delivery properties on the Recipient Filtering tab, make sure the 'Filter recipients who ...' checkbox is selected.
Don't allow the mail to come inside your exchange if there is no such recepient in your directory. Use filter based on recepient as suggested by Leederbyshire.
I just want to give you the link so that iot would be easier for you.




Let us know if it helped... :)  

I hate spams!!!!

If you are using recipient filtering, then you also need to enable tarpit. (http://support.microsoft.com/default.aspx?kbid=842851)
Make sure that you have enabled recipient filtering on the SMTP virtual server as well.

However, ESM is notorious for not showing the true extent of the queues when attacks like this are under way. The situation could be that the measures you have taken have dealt with the problem, but the queues are taking their time to flush.

My spam cleanup article can help with cleaning the queues: http://www.amset.info/exchange/spam-cleanup.asp

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

SnaggleAuthor Commented:
I have enabled the tarpit option as you suggested and that seems to have fixed the problem. Our ISP has re-enabled our account and the problem has gone away.

I also under ndr attack, have done all suggestions and still getting ndrs. What to do!!!!
Not posting in a question that is over two years old would be a good start.
It isn't possible to bump question, so no one else will see the question other than those who have already posted to the question. Therefore I suggest that you ask your question fresh, which will allow active experts to see it.


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now