Solved

Handling incoming NDR's from spam using spoofed address

Posted on 2006-11-17
9
1,756 Views
Last Modified: 2012-05-05
I run an Exchange 2000 server for a small (25 employees) company. We have several applications in place to protect us from incoming Spam (Symantec Mail Security + iHateSpam) which do a pretty good job. However, these applications can not protect us from incoming NDR's that use an invalid spoofed address using our domain.

Lately, my Bad Mail queue has been processing over 1600 undeliverable NDR's per hour. This is causing a tremendous load on our server slowing down the delivery of legitimate mail. One day this week over 10,000 undeliverable messages were processed in 2 hours causing my Exchange Server to become unresponsive to local clients.

Is there anything that can be done to handle incoming mail with bad addresses other than Exchange's default behavior of multiple attempts to deliver?

I already have disabled the sending of NDR's to senders of incoming mail with bad addresses. I also have a daily At job that deletes the BadMail folder to keep it's size under control. This is not enough to keep my Exchange Server from bogging down trying to process all this bad mail.

If I can't find a workable solution we may be forced to move our email server to a hosting service which is not something management wants to do.

Your ideas are appreciated.

Thanks - JR
0
Comment
Question by:BRT-Tech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 14

Expert Comment

by:inbarasan
ID: 17964711
Dear BRT-Tech,
You may enable reverse DNS lookup for your incoming mails. This way you may be able to reduce the no of SPAM mails. But sometimes geninue domains will be blocked due to this issue.

Some more experts will help you with their solutions

Cheers!
0
 

Author Comment

by:BRT-Tech
ID: 17964896
Thanks for your comment inbarasan.  It's really not incoming Spam that is a problem, but incoming NDR's from Spam that used our domain in a spoofed return address. These NDR's are coming from legitimate domains, not from the Spammers so I don't think your idea would help.  I already use several Remote Block Lists which greatly reduce the number of incoming messages. Nearly 90% of connections fail the RBL look-up.

JR
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17964930
Under the terms of the RFC you have to accept those NDRs. They are for your domain and any attempt to stop them from being delivered will probably get you blacklisted.

If everyone dropped the messages at the SMTP delivery point instead of accepting the messages and then trying to NDR them, then this wouldn't be an issue. As it is, they don't.

I don't think there is a way that you can deal with this. If it is a major problem then you might want to consider a second server in front of the Exchange server to handle the initial processing. Even putting something like GFI or Vamsoft ORF in front which do directory lookups will not really help as you have to accept the NDRs for your domain.

Simon.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:BRT-Tech
ID: 17966038
I've done some more research, and found some answers here on EE as well as Microsoft's knowledge base.

I'm  pretty much convinced that I have been under a Reverse NDR attacks. See http://support.microsoft.com/?kbid=909005

According to that bulletin, and an earlier answer on EE I can enable Recipient Filtering in Exchange 2000 so that misdirected email is rejected at the SMTP connection point. I do not believe this violates the RFC because the sending server then generates the NDR. The trade of of this is that it can make the server open to a Directory Harvest attack exposing valid addresses to the Spammers.

I've also considered implementing the Sender Policy Framework (DNS SPF Record), unfortunately the service we use does not support this. I'm still working on them though.

More info in this EE Q/A: http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21708292.html
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 17966164
There is no recipient filtering in Exchange 2000. You would have to use a third party tool. Both GFI ME and Vamsoft ORF can do directory lookups, which is what recipient filtering does on Exchange 2003.

NDR attacks and being on the receiving end of spoofed emails are very different.
If your server is trying to send out lots of email from postmaster@ where the sender of the original message is something bogus at your domain, then that is an NDR attack.
If, on the other hand, you are simply receiving large numbers of NDRs from legitimate domains, then it could be spoofed.

Simon.
0
 

Author Comment

by:BRT-Tech
ID: 17966366
Thanks Sembe.  The MS Bulletin said it applies to 2000 and 2003; I have not yet tried to follow it.

Point taken on differing problems. Here's what I am seeing exactly....

On Monday our Exchange Server crashed (MS Exchange Information Store service had stopped unexpectedly). Research leads me to believe this was due to Symantec Mail Security being overloaded. They have documented this as an issue after a large Spam attack.

Tuesday Exchange was not delivering mail. CPU loading was high 90% and the Directory Lookup queue was loaded up with thousands of messages. I believe this was still related to the overload failure of SMS, per their bulletin.

This morning when I checked in IO looked at the Bad Mail folder at 7:45 AM.  I have an At-Job delete the folder contents at 5:15AM and there were already 4000 files in the folder which I deleted. Looking now at 11:00 AM there are another 5000 in the folder. Every one of these Dead messages is an NDR from an outside domain being sent to an non-existent user at our domain.

So - I have thousands of NDR's coming in every hour. They are from what look to be legitimate domains.  I don't know if  this qualifies as a reverse NDR attack or not.  I do not have the outgoing messages from Postmaster because I have disabled sending NDRs.

What ever you would like to call it it's a real pain in my behind :)

JR
0
 

Author Comment

by:BRT-Tech
ID: 17966405
UPDATE -

The next batch to go to teh Bad Mail folder are from postmaster @ mydomain addressed to an invalid user @ mydomain.

Is my server attacking itself?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17966553
If you are getting invalid user @ your domain then that is an NDR attack.

The KB article you have referred to only provides instructions for recipient filtering on Exchange 2003.

What I would do is...

1. Shut off port 25 on your firewall so that no more traffic can come in.
2. Get your hands on a trial version of an application that can do directory lookups. From a simplicity point of view I would probably suggest Vamsoft ORF (http://www.vamsoft.com) as it doesn't have lots of other features that can get in the way and you can control what is and isn't enabled. Don't enable anything but the directory lookups at this time.
3. Clean up the server. I have instructions on how to do that on my web site: http://www.amset.info/exchange/spam-cleanup.asp

If you don't turn off port 25 then you are just fighting against a continuing stream of messages. It will give your server a chance to deal with the messages, or for you to clean them up.

Don't forget that the quickest way to clear badmail is to simply rename the folder, then SHIFT DELETE the folder, not the contents. Exchange will recreate the folder when it is required.

Simon.
0
 

Author Comment

by:BRT-Tech
ID: 17966716
Thanks Simon.

Yes I notice now the instructions for filtering say Exchange 2003 only.

I do not think I am currently under heavy attack. A check of the queues today show noting pending except for a few retries to an external domain that I know is legitimate.  There is still a lot of crap coming in, but the server is able to handle the volume so far. Unless things get worse, I'll leave port 25 enabled (My solution Monday and Tuesday was to simply pull the Ethernet cable from the upstream router, severing all connections to the Internet.)

I will take your suggestion to look at Vamsoft ORF. That sounds like what I need.

With a good filter in place I could re-enable outgoing NDR's which would be my preference.

Your website looks very helpful, thank you.

JR
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question