Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 335
  • Last Modified:

I am getting a whole bunch of these messages ..please help!? Exch2k3 ..looks like spam NDR"ing"

Exchange 2k3 all svc packs with spam and antivirus (symantec.)

I am having NDR's forwarded to me.  While this is ok, some of these messages I have configured the exchange server to delete immediately if they are to specific addresses that I know don't exist.  If that is the case, should I still be getting NDR's for them?  Or are they deleted usually by spam like symantec after the NDR hits?  

Also, I got about 50 of these in one night to all different names that don't exist at my organization.  Does this mean I am under attack?  Is it affecting performance of the server?  How best should I handle these?  Ignore them?  Is anyone familiar with getting lots of these?

"Your message did not reach some or all of the intended recipients.

Subject: Virus Found in message "Test"
Sent: 4/21/2006 3:31 PM

The following recipient(s) could not be reached:

  mary@mycompany.com on 6/17/2006 12:39 PM
  The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.
  <server.mycompany.com #5.1.1> "

Thank you.
0
Sp0cky
Asked:
Sp0cky
  • 3
  • 2
  • 2
  • +2
2 Solutions
 
Imtiaz HashamCommented:
One answer is usually, your email address is in BCC and the other answer is that as you might be the administrator for the exchange server hence any mail for unnamed accounts are sent to you.

This is classified as SPAM!
0
 
jhanceCommented:
>Does this mean I am under attack?  

No, it means that some spammer is sending out SPAM using your domain name and probably bogus usernames.

>Is it affecting performance of the server?  

Of course.  It increases the processing load and clogs up your network.

>How best should I handle these?  Ignore them?  

Yes, there is little, if anything you can do.  Just be sure they don't collect in some mailbox and fill up your hard drive.  Also make sure you don't compound the problem by sending out NDRs for the NDRs.  Some people do that sort of thing.

>Is anyone familiar with getting lots of these?

Just about anyone who runs a mail server has this happen at one time or another.
0
 
Rick HobbsRETIREDCommented:
Symantec works pretty good, but I have found the best solution is relatively inexpensive.  When your Symantec gets out of date or you feel you have gotten a decent return on your investment, consider an appliance. The Barracuda networks appliances (http://www.barracudanetworks.com/ns/?L=en) do an excellent job and stop the attacks and spam before they get to your mail server.  Mcafee has the Webshield appliance and it also does an excelleny job.

Spammers are constantly trying to find new places to send their crap and the methods you are describing are totally normal.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Sp0ckyAuthor Commented:
"that as you might be the administrator for the exchange server hence any mail for unnamed accounts are sent to you."

Thanks.  I am aware of this and it is my intention to get these forwarded to me.  My concern was is this something to be concerned about.



"it means that some spammer is sending out SPAM using your domain name and probably bogus usernames.  Of course.  It increases the processing load and clogs up your network.  there is little, if anything you can do.  Just be sure they don't collect in some mailbox and fill up your hard drive.  Also make sure you don't compound the problem by sending out NDRs for the NDRs.  Some people do that sort of thing."

Thank you jhance.  Let me make sure I understand.  My server is sending back an NDR to the sender telling them that there is no such name.  So either way, I am responding to them with an NDR.  Did I get that right?

As to the rest of your answer, that makes sense.  Thanks for your input.  I will let the question run a bit longer and then award points.

0
 
Sp0ckyAuthor Commented:
oh, and what id "BCC?"
0
 
Rick HobbsRETIREDCommented:
BCC=Blind Carbon Copy
0
 
Rick HobbsRETIREDCommented:
Oh, another thing.  A lot of NDRs are generated by Virus infections on other peoples PCs.  Some of them spoof random addresses, some of them steal the address books of infected PCs.
0
 
jhanceCommented:
>>My server is sending back an NDR to the sender telling them that there is no such name

No, you should NOT do that.  Two reasons:

1) The "sender" is likely NOT the real sender.  So you're sending a notification to someone who had nothing to do with this and cannot do anything about it.

2) You are simply adding to the problem by assisting in the further propagation of SPAM.  Some spammers actually USE the NDR technique to send SPAM.  Since many sites block SPAM using various ways, this is a "back-door" that gets the SPAM in.

My advice is to re-configure your email server NOT to send NDRs from any email that it cannot deliver itself and didn't originate at your system.  If one of your users sends to a bogus address, then your system should send them an NDR.  If, however, your server gets an NDR for one of your users from outside, it's probably bogus and should be discarded.  It's a subtle point but is at the heart of this issue.
0
 
SembeeCommented:
If you are running Exchange 2003 on Windows 2003, then you best option would be to configure recipient filtering. That will stop any email messages destined for users who are unknown on your server from being delivered to the server.

If someone sends a legitimate email with a misspelling then it will bounce back immediately. They will see the error and correct it, or phone up to get the correct address. The email messages will not sit in the queues waiting to be delivered.

http://www.amset.info/exchange/filter-unknown.asp

Unfortunately what you are seeing is very common and is down to the design of the SMTP system. There is no verification that the server sending the email is valid for that address. I could send you an email message which looks like it has come from Bill Gates at Microsoft. You would have to look at the SMTP headers to see that the message didn't originate from Microsoft.

Innovations like SPF are supposed to deal with this issue, but they are not widely adopted enough to use as an effective tool to block email messages - the most you can use them for is to score spam for filtering elsewhere.

Simon.
0
 
Imtiaz HashamCommented:
We've had this at some point but they are all gone now... don't worry too much about them...
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now