Solved

Handling incoming NDR's from spam using spoofed address

Posted on 2006-11-17
9
1,711 Views
Last Modified: 2012-05-05
I run an Exchange 2000 server for a small (25 employees) company. We have several applications in place to protect us from incoming Spam (Symantec Mail Security + iHateSpam) which do a pretty good job. However, these applications can not protect us from incoming NDR's that use an invalid spoofed address using our domain.

Lately, my Bad Mail queue has been processing over 1600 undeliverable NDR's per hour. This is causing a tremendous load on our server slowing down the delivery of legitimate mail. One day this week over 10,000 undeliverable messages were processed in 2 hours causing my Exchange Server to become unresponsive to local clients.

Is there anything that can be done to handle incoming mail with bad addresses other than Exchange's default behavior of multiple attempts to deliver?

I already have disabled the sending of NDR's to senders of incoming mail with bad addresses. I also have a daily At job that deletes the BadMail folder to keep it's size under control. This is not enough to keep my Exchange Server from bogging down trying to process all this bad mail.

If I can't find a workable solution we may be forced to move our email server to a hosting service which is not something management wants to do.

Your ideas are appreciated.

Thanks - JR
0
Comment
Question by:BRT-Tech
  • 5
  • 3
9 Comments
 
LVL 14

Expert Comment

by:inbarasan
ID: 17964711
Dear BRT-Tech,
You may enable reverse DNS lookup for your incoming mails. This way you may be able to reduce the no of SPAM mails. But sometimes geninue domains will be blocked due to this issue.

Some more experts will help you with their solutions

Cheers!
0
 

Author Comment

by:BRT-Tech
ID: 17964896
Thanks for your comment inbarasan.  It's really not incoming Spam that is a problem, but incoming NDR's from Spam that used our domain in a spoofed return address. These NDR's are coming from legitimate domains, not from the Spammers so I don't think your idea would help.  I already use several Remote Block Lists which greatly reduce the number of incoming messages. Nearly 90% of connections fail the RBL look-up.

JR
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17964930
Under the terms of the RFC you have to accept those NDRs. They are for your domain and any attempt to stop them from being delivered will probably get you blacklisted.

If everyone dropped the messages at the SMTP delivery point instead of accepting the messages and then trying to NDR them, then this wouldn't be an issue. As it is, they don't.

I don't think there is a way that you can deal with this. If it is a major problem then you might want to consider a second server in front of the Exchange server to handle the initial processing. Even putting something like GFI or Vamsoft ORF in front which do directory lookups will not really help as you have to accept the NDRs for your domain.

Simon.
0
 

Author Comment

by:BRT-Tech
ID: 17966038
I've done some more research, and found some answers here on EE as well as Microsoft's knowledge base.

I'm  pretty much convinced that I have been under a Reverse NDR attacks. See http://support.microsoft.com/?kbid=909005

According to that bulletin, and an earlier answer on EE I can enable Recipient Filtering in Exchange 2000 so that misdirected email is rejected at the SMTP connection point. I do not believe this violates the RFC because the sending server then generates the NDR. The trade of of this is that it can make the server open to a Directory Harvest attack exposing valid addresses to the Spammers.

I've also considered implementing the Sender Policy Framework (DNS SPF Record), unfortunately the service we use does not support this. I'm still working on them though.

More info in this EE Q/A: http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21708292.html
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 17966164
There is no recipient filtering in Exchange 2000. You would have to use a third party tool. Both GFI ME and Vamsoft ORF can do directory lookups, which is what recipient filtering does on Exchange 2003.

NDR attacks and being on the receiving end of spoofed emails are very different.
If your server is trying to send out lots of email from postmaster@ where the sender of the original message is something bogus at your domain, then that is an NDR attack.
If, on the other hand, you are simply receiving large numbers of NDRs from legitimate domains, then it could be spoofed.

Simon.
0
 

Author Comment

by:BRT-Tech
ID: 17966366
Thanks Sembe.  The MS Bulletin said it applies to 2000 and 2003; I have not yet tried to follow it.

Point taken on differing problems. Here's what I am seeing exactly....

On Monday our Exchange Server crashed (MS Exchange Information Store service had stopped unexpectedly). Research leads me to believe this was due to Symantec Mail Security being overloaded. They have documented this as an issue after a large Spam attack.

Tuesday Exchange was not delivering mail. CPU loading was high 90% and the Directory Lookup queue was loaded up with thousands of messages. I believe this was still related to the overload failure of SMS, per their bulletin.

This morning when I checked in IO looked at the Bad Mail folder at 7:45 AM.  I have an At-Job delete the folder contents at 5:15AM and there were already 4000 files in the folder which I deleted. Looking now at 11:00 AM there are another 5000 in the folder. Every one of these Dead messages is an NDR from an outside domain being sent to an non-existent user at our domain.

So - I have thousands of NDR's coming in every hour. They are from what look to be legitimate domains.  I don't know if  this qualifies as a reverse NDR attack or not.  I do not have the outgoing messages from Postmaster because I have disabled sending NDRs.

What ever you would like to call it it's a real pain in my behind :)

JR
0
 

Author Comment

by:BRT-Tech
ID: 17966405
UPDATE -

The next batch to go to teh Bad Mail folder are from postmaster @ mydomain addressed to an invalid user @ mydomain.

Is my server attacking itself?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17966553
If you are getting invalid user @ your domain then that is an NDR attack.

The KB article you have referred to only provides instructions for recipient filtering on Exchange 2003.

What I would do is...

1. Shut off port 25 on your firewall so that no more traffic can come in.
2. Get your hands on a trial version of an application that can do directory lookups. From a simplicity point of view I would probably suggest Vamsoft ORF (http://www.vamsoft.com) as it doesn't have lots of other features that can get in the way and you can control what is and isn't enabled. Don't enable anything but the directory lookups at this time.
3. Clean up the server. I have instructions on how to do that on my web site: http://www.amset.info/exchange/spam-cleanup.asp

If you don't turn off port 25 then you are just fighting against a continuing stream of messages. It will give your server a chance to deal with the messages, or for you to clean them up.

Don't forget that the quickest way to clear badmail is to simply rename the folder, then SHIFT DELETE the folder, not the contents. Exchange will recreate the folder when it is required.

Simon.
0
 

Author Comment

by:BRT-Tech
ID: 17966716
Thanks Simon.

Yes I notice now the instructions for filtering say Exchange 2003 only.

I do not think I am currently under heavy attack. A check of the queues today show noting pending except for a few retries to an external domain that I know is legitimate.  There is still a lot of crap coming in, but the server is able to handle the volume so far. Unless things get worse, I'll leave port 25 enabled (My solution Monday and Tuesday was to simply pull the Ethernet cable from the upstream router, severing all connections to the Internet.)

I will take your suggestion to look at Vamsoft ORF. That sounds like what I need.

With a good filter in place I could re-enable outgoing NDR's which would be my preference.

Your website looks very helpful, thank you.

JR
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now