Handling incoming NDR's from spam using spoofed address

I run an Exchange 2000 server for a small (25 employees) company. We have several applications in place to protect us from incoming Spam (Symantec Mail Security + iHateSpam) which do a pretty good job. However, these applications can not protect us from incoming NDR's that use an invalid spoofed address using our domain.

Lately, my Bad Mail queue has been processing over 1600 undeliverable NDR's per hour. This is causing a tremendous load on our server slowing down the delivery of legitimate mail. One day this week over 10,000 undeliverable messages were processed in 2 hours causing my Exchange Server to become unresponsive to local clients.

Is there anything that can be done to handle incoming mail with bad addresses other than Exchange's default behavior of multiple attempts to deliver?

I already have disabled the sending of NDR's to senders of incoming mail with bad addresses. I also have a daily At job that deletes the BadMail folder to keep it's size under control. This is not enough to keep my Exchange Server from bogging down trying to process all this bad mail.

If I can't find a workable solution we may be forced to move our email server to a hosting service which is not something management wants to do.

Your ideas are appreciated.

Thanks - JR
Who is Participating?
SembeeConnect With a Mentor Commented:
There is no recipient filtering in Exchange 2000. You would have to use a third party tool. Both GFI ME and Vamsoft ORF can do directory lookups, which is what recipient filtering does on Exchange 2003.

NDR attacks and being on the receiving end of spoofed emails are very different.
If your server is trying to send out lots of email from postmaster@ where the sender of the original message is something bogus at your domain, then that is an NDR attack.
If, on the other hand, you are simply receiving large numbers of NDRs from legitimate domains, then it could be spoofed.

Dear BRT-Tech,
You may enable reverse DNS lookup for your incoming mails. This way you may be able to reduce the no of SPAM mails. But sometimes geninue domains will be blocked due to this issue.

Some more experts will help you with their solutions

BRT-TechAuthor Commented:
Thanks for your comment inbarasan.  It's really not incoming Spam that is a problem, but incoming NDR's from Spam that used our domain in a spoofed return address. These NDR's are coming from legitimate domains, not from the Spammers so I don't think your idea would help.  I already use several Remote Block Lists which greatly reduce the number of incoming messages. Nearly 90% of connections fail the RBL look-up.

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Under the terms of the RFC you have to accept those NDRs. They are for your domain and any attempt to stop them from being delivered will probably get you blacklisted.

If everyone dropped the messages at the SMTP delivery point instead of accepting the messages and then trying to NDR them, then this wouldn't be an issue. As it is, they don't.

I don't think there is a way that you can deal with this. If it is a major problem then you might want to consider a second server in front of the Exchange server to handle the initial processing. Even putting something like GFI or Vamsoft ORF in front which do directory lookups will not really help as you have to accept the NDRs for your domain.

BRT-TechAuthor Commented:
I've done some more research, and found some answers here on EE as well as Microsoft's knowledge base.

I'm  pretty much convinced that I have been under a Reverse NDR attacks. See http://support.microsoft.com/?kbid=909005

According to that bulletin, and an earlier answer on EE I can enable Recipient Filtering in Exchange 2000 so that misdirected email is rejected at the SMTP connection point. I do not believe this violates the RFC because the sending server then generates the NDR. The trade of of this is that it can make the server open to a Directory Harvest attack exposing valid addresses to the Spammers.

I've also considered implementing the Sender Policy Framework (DNS SPF Record), unfortunately the service we use does not support this. I'm still working on them though.

More info in this EE Q/A: http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21708292.html
BRT-TechAuthor Commented:
Thanks Sembe.  The MS Bulletin said it applies to 2000 and 2003; I have not yet tried to follow it.

Point taken on differing problems. Here's what I am seeing exactly....

On Monday our Exchange Server crashed (MS Exchange Information Store service had stopped unexpectedly). Research leads me to believe this was due to Symantec Mail Security being overloaded. They have documented this as an issue after a large Spam attack.

Tuesday Exchange was not delivering mail. CPU loading was high 90% and the Directory Lookup queue was loaded up with thousands of messages. I believe this was still related to the overload failure of SMS, per their bulletin.

This morning when I checked in IO looked at the Bad Mail folder at 7:45 AM.  I have an At-Job delete the folder contents at 5:15AM and there were already 4000 files in the folder which I deleted. Looking now at 11:00 AM there are another 5000 in the folder. Every one of these Dead messages is an NDR from an outside domain being sent to an non-existent user at our domain.

So - I have thousands of NDR's coming in every hour. They are from what look to be legitimate domains.  I don't know if  this qualifies as a reverse NDR attack or not.  I do not have the outgoing messages from Postmaster because I have disabled sending NDRs.

What ever you would like to call it it's a real pain in my behind :)

BRT-TechAuthor Commented:

The next batch to go to teh Bad Mail folder are from postmaster @ mydomain addressed to an invalid user @ mydomain.

Is my server attacking itself?
If you are getting invalid user @ your domain then that is an NDR attack.

The KB article you have referred to only provides instructions for recipient filtering on Exchange 2003.

What I would do is...

1. Shut off port 25 on your firewall so that no more traffic can come in.
2. Get your hands on a trial version of an application that can do directory lookups. From a simplicity point of view I would probably suggest Vamsoft ORF (http://www.vamsoft.com) as it doesn't have lots of other features that can get in the way and you can control what is and isn't enabled. Don't enable anything but the directory lookups at this time.
3. Clean up the server. I have instructions on how to do that on my web site: http://www.amset.info/exchange/spam-cleanup.asp

If you don't turn off port 25 then you are just fighting against a continuing stream of messages. It will give your server a chance to deal with the messages, or for you to clean them up.

Don't forget that the quickest way to clear badmail is to simply rename the folder, then SHIFT DELETE the folder, not the contents. Exchange will recreate the folder when it is required.

BRT-TechAuthor Commented:
Thanks Simon.

Yes I notice now the instructions for filtering say Exchange 2003 only.

I do not think I am currently under heavy attack. A check of the queues today show noting pending except for a few retries to an external domain that I know is legitimate.  There is still a lot of crap coming in, but the server is able to handle the volume so far. Unless things get worse, I'll leave port 25 enabled (My solution Monday and Tuesday was to simply pull the Ethernet cable from the upstream router, severing all connections to the Internet.)

I will take your suggestion to look at Vamsoft ORF. That sounds like what I need.

With a good filter in place I could re-enable outgoing NDR's which would be my preference.

Your website looks very helpful, thank you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.