I am getting a whole bunch of these messages ..please help!? Exch2k3 ..looks like spam NDR"ing"

Exchange 2k3 all svc packs with spam and antivirus (symantec.)

I am having NDR's forwarded to me.  While this is ok, some of these messages I have configured the exchange server to delete immediately if they are to specific addresses that I know don't exist.  If that is the case, should I still be getting NDR's for them?  Or are they deleted usually by spam like symantec after the NDR hits?  

Also, I got about 50 of these in one night to all different names that don't exist at my organization.  Does this mean I am under attack?  Is it affecting performance of the server?  How best should I handle these?  Ignore them?  Is anyone familiar with getting lots of these?

"Your message did not reach some or all of the intended recipients.

Subject: Virus Found in message "Test"
Sent: 4/21/2006 3:31 PM

The following recipient(s) could not be reached:

  mary@mycompany.com on 6/17/2006 12:39 PM
  The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.
  <server.mycompany.com #5.1.1> "

Thank you.
Sp0ckyAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SembeeConnect With a Mentor Commented:
If you are running Exchange 2003 on Windows 2003, then you best option would be to configure recipient filtering. That will stop any email messages destined for users who are unknown on your server from being delivered to the server.

If someone sends a legitimate email with a misspelling then it will bounce back immediately. They will see the error and correct it, or phone up to get the correct address. The email messages will not sit in the queues waiting to be delivered.

http://www.amset.info/exchange/filter-unknown.asp

Unfortunately what you are seeing is very common and is down to the design of the SMTP system. There is no verification that the server sending the email is valid for that address. I could send you an email message which looks like it has come from Bill Gates at Microsoft. You would have to look at the SMTP headers to see that the message didn't originate from Microsoft.

Innovations like SPF are supposed to deal with this issue, but they are not widely adopted enough to use as an effective tool to block email messages - the most you can use them for is to score spam for filtering elsewhere.

Simon.
0
 
Imtiaz HashamTechnical Director / IT ConsultantCommented:
One answer is usually, your email address is in BCC and the other answer is that as you might be the administrator for the exchange server hence any mail for unnamed accounts are sent to you.

This is classified as SPAM!
0
 
jhanceCommented:
>Does this mean I am under attack?  

No, it means that some spammer is sending out SPAM using your domain name and probably bogus usernames.

>Is it affecting performance of the server?  

Of course.  It increases the processing load and clogs up your network.

>How best should I handle these?  Ignore them?  

Yes, there is little, if anything you can do.  Just be sure they don't collect in some mailbox and fill up your hard drive.  Also make sure you don't compound the problem by sending out NDRs for the NDRs.  Some people do that sort of thing.

>Is anyone familiar with getting lots of these?

Just about anyone who runs a mail server has this happen at one time or another.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Rick HobbsRETIREDCommented:
Symantec works pretty good, but I have found the best solution is relatively inexpensive.  When your Symantec gets out of date or you feel you have gotten a decent return on your investment, consider an appliance. The Barracuda networks appliances (http://www.barracudanetworks.com/ns/?L=en) do an excellent job and stop the attacks and spam before they get to your mail server.  Mcafee has the Webshield appliance and it also does an excelleny job.

Spammers are constantly trying to find new places to send their crap and the methods you are describing are totally normal.
0
 
Sp0ckyAuthor Commented:
"that as you might be the administrator for the exchange server hence any mail for unnamed accounts are sent to you."

Thanks.  I am aware of this and it is my intention to get these forwarded to me.  My concern was is this something to be concerned about.



"it means that some spammer is sending out SPAM using your domain name and probably bogus usernames.  Of course.  It increases the processing load and clogs up your network.  there is little, if anything you can do.  Just be sure they don't collect in some mailbox and fill up your hard drive.  Also make sure you don't compound the problem by sending out NDRs for the NDRs.  Some people do that sort of thing."

Thank you jhance.  Let me make sure I understand.  My server is sending back an NDR to the sender telling them that there is no such name.  So either way, I am responding to them with an NDR.  Did I get that right?

As to the rest of your answer, that makes sense.  Thanks for your input.  I will let the question run a bit longer and then award points.

0
 
Sp0ckyAuthor Commented:
oh, and what id "BCC?"
0
 
Rick HobbsRETIREDCommented:
BCC=Blind Carbon Copy
0
 
Rick HobbsRETIREDCommented:
Oh, another thing.  A lot of NDRs are generated by Virus infections on other peoples PCs.  Some of them spoof random addresses, some of them steal the address books of infected PCs.
0
 
jhanceConnect With a Mentor Commented:
>>My server is sending back an NDR to the sender telling them that there is no such name

No, you should NOT do that.  Two reasons:

1) The "sender" is likely NOT the real sender.  So you're sending a notification to someone who had nothing to do with this and cannot do anything about it.

2) You are simply adding to the problem by assisting in the further propagation of SPAM.  Some spammers actually USE the NDR technique to send SPAM.  Since many sites block SPAM using various ways, this is a "back-door" that gets the SPAM in.

My advice is to re-configure your email server NOT to send NDRs from any email that it cannot deliver itself and didn't originate at your system.  If one of your users sends to a bogus address, then your system should send them an NDR.  If, however, your server gets an NDR for one of your users from outside, it's probably bogus and should be discarded.  It's a subtle point but is at the heart of this issue.
0
 
Imtiaz HashamTechnical Director / IT ConsultantCommented:
We've had this at some point but they are all gone now... don't worry too much about them...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.