Solved

I am getting a whole bunch of these messages ..please help!?  Exch2k3 ..looks like spam NDR"ing"

Posted on 2006-06-17
10
317 Views
Last Modified: 2010-03-19
Exchange 2k3 all svc packs with spam and antivirus (symantec.)

I am having NDR's forwarded to me.  While this is ok, some of these messages I have configured the exchange server to delete immediately if they are to specific addresses that I know don't exist.  If that is the case, should I still be getting NDR's for them?  Or are they deleted usually by spam like symantec after the NDR hits?  

Also, I got about 50 of these in one night to all different names that don't exist at my organization.  Does this mean I am under attack?  Is it affecting performance of the server?  How best should I handle these?  Ignore them?  Is anyone familiar with getting lots of these?

"Your message did not reach some or all of the intended recipients.

Subject: Virus Found in message "Test"
Sent: 4/21/2006 3:31 PM

The following recipient(s) could not be reached:

  mary@mycompany.com on 6/17/2006 12:39 PM
  The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.
  <server.mycompany.com #5.1.1> "

Thank you.
0
Comment
Question by:Sp0cky
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 16927457
One answer is usually, your email address is in BCC and the other answer is that as you might be the administrator for the exchange server hence any mail for unnamed accounts are sent to you.

This is classified as SPAM!
0
 
LVL 32

Expert Comment

by:jhance
ID: 16927458
>Does this mean I am under attack?  

No, it means that some spammer is sending out SPAM using your domain name and probably bogus usernames.

>Is it affecting performance of the server?  

Of course.  It increases the processing load and clogs up your network.

>How best should I handle these?  Ignore them?  

Yes, there is little, if anything you can do.  Just be sure they don't collect in some mailbox and fill up your hard drive.  Also make sure you don't compound the problem by sending out NDRs for the NDRs.  Some people do that sort of thing.

>Is anyone familiar with getting lots of these?

Just about anyone who runs a mail server has this happen at one time or another.
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 16928330
Symantec works pretty good, but I have found the best solution is relatively inexpensive.  When your Symantec gets out of date or you feel you have gotten a decent return on your investment, consider an appliance. The Barracuda networks appliances (http://www.barracudanetworks.com/ns/?L=en) do an excellent job and stop the attacks and spam before they get to your mail server.  Mcafee has the Webshield appliance and it also does an excelleny job.

Spammers are constantly trying to find new places to send their crap and the methods you are describing are totally normal.
0
 

Author Comment

by:Sp0cky
ID: 16928492
"that as you might be the administrator for the exchange server hence any mail for unnamed accounts are sent to you."

Thanks.  I am aware of this and it is my intention to get these forwarded to me.  My concern was is this something to be concerned about.



"it means that some spammer is sending out SPAM using your domain name and probably bogus usernames.  Of course.  It increases the processing load and clogs up your network.  there is little, if anything you can do.  Just be sure they don't collect in some mailbox and fill up your hard drive.  Also make sure you don't compound the problem by sending out NDRs for the NDRs.  Some people do that sort of thing."

Thank you jhance.  Let me make sure I understand.  My server is sending back an NDR to the sender telling them that there is no such name.  So either way, I am responding to them with an NDR.  Did I get that right?

As to the rest of your answer, that makes sense.  Thanks for your input.  I will let the question run a bit longer and then award points.

0
 

Author Comment

by:Sp0cky
ID: 16928493
oh, and what id "BCC?"
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 22

Expert Comment

by:rickhobbs
ID: 16928508
BCC=Blind Carbon Copy
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 16928510
Oh, another thing.  A lot of NDRs are generated by Virus infections on other peoples PCs.  Some of them spoof random addresses, some of them steal the address books of infected PCs.
0
 
LVL 32

Assisted Solution

by:jhance
jhance earned 150 total points
ID: 16929290
>>My server is sending back an NDR to the sender telling them that there is no such name

No, you should NOT do that.  Two reasons:

1) The "sender" is likely NOT the real sender.  So you're sending a notification to someone who had nothing to do with this and cannot do anything about it.

2) You are simply adding to the problem by assisting in the further propagation of SPAM.  Some spammers actually USE the NDR technique to send SPAM.  Since many sites block SPAM using various ways, this is a "back-door" that gets the SPAM in.

My advice is to re-configure your email server NOT to send NDRs from any email that it cannot deliver itself and didn't originate at your system.  If one of your users sends to a bogus address, then your system should send them an NDR.  If, however, your server gets an NDR for one of your users from outside, it's probably bogus and should be discarded.  It's a subtle point but is at the heart of this issue.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 350 total points
ID: 16929902
If you are running Exchange 2003 on Windows 2003, then you best option would be to configure recipient filtering. That will stop any email messages destined for users who are unknown on your server from being delivered to the server.

If someone sends a legitimate email with a misspelling then it will bounce back immediately. They will see the error and correct it, or phone up to get the correct address. The email messages will not sit in the queues waiting to be delivered.

http://www.amset.info/exchange/filter-unknown.asp

Unfortunately what you are seeing is very common and is down to the design of the SMTP system. There is no verification that the server sending the email is valid for that address. I could send you an email message which looks like it has come from Bill Gates at Microsoft. You would have to look at the SMTP headers to see that the message didn't originate from Microsoft.

Innovations like SPF are supposed to deal with this issue, but they are not widely adopted enough to use as an effective tool to block email messages - the most you can use them for is to score spam for filtering elsewhere.

Simon.
0
 
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 16930333
We've had this at some point but they are all gone now... don't worry too much about them...
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Systems talking to each other 5 110
Nic to NIC 5 47
NSD FAIL 2 25
network timeout on mapped drive 3 28
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now