shockey
asked on
NDR Attack on ISA SERVER SMTP virtual server. Need help.
We are currently using ISA 2004 as a proxy and a firewall as our entry point to the outside. We are running an SMTP virtual server on this ISA box which passes email through to our Exchange 2K3 email server. We were experiencing NDR attacks on the Exchange server (filling up queues with postmaster NDR messages) so I enabled recipient filtering to filter messages sent to recipients that weren't in the directory. This cleaned up the overloaded queues on the Exchange server. However, I have recently noticed that there is a Queue folder in the ISA 2K4 server (inetpub\mailroot) that is also filling up with NDR messages which are being sent from postmaster@isaserver.domai
ASKER
I should have clarified we are running the SMTP virtual server in the IIS component of the ISA Server machine. We have an inbound SMTP allow rule setup in ISA to allow traffic on port 25 to come in to the IP address of the ISA server. Is this not correct? Should I removed the SMTP virtual server from the ISA Server and change the rule to point this inbound traffic on port 25 to the Exchange server's IP address?
Dear shockey,
It is not possible to control SPAM even if you use ISA as your incoming SMTP Gateway. You may buy some third party tools like Trend micro, surfcontrol to control the SPAM. or you can enable sender filtering and block the domain postmaster@isaserver.domai
Cheers!
It is not possible to control SPAM even if you use ISA as your incoming SMTP Gateway. You may buy some third party tools like Trend micro, surfcontrol to control the SPAM. or you can enable sender filtering and block the domain postmaster@isaserver.domai
Cheers!
Hi shockey,
Try enabling the tarpit feature.
Copyrighted content removed by sembee.
Regards,
Trenes
Try enabling the tarpit feature.
Copyrighted content removed by sembee.
Regards,
Trenes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh my bad sorry for posting !
ASKER
I am already using the IMF filtering on the Exchange box. I am also using recipient filtering to filter messages sent to recipients that weren't in the directory. I am also using the tarpit feature. The problem originally was that the Exchange box was getting overloaded with these queues, enabling the above features has stopped this, however now the ISA box is getting overloaded with these cues becuase it is setup to use a virtual SMTP to route mail through to the exchange box, this was setup based on an article published online from Shinder (ISA KING).
The question that now exists is: Do I need to have an SMTP virtual server setup in the IIS component of the ISA Server machine in order to get outside email into the exchange box? If not, what steps/rules need to be setup to allow these messages to be routed from the external to the exchange box which is behind ISA? Is it as simle as setting up an access rule to allow inbound STMP protocol on port 25 and point it to the IP of the exchange box? Thanks again.
Shockey
The question that now exists is: Do I need to have an SMTP virtual server setup in the IIS component of the ISA Server machine in order to get outside email into the exchange box? If not, what steps/rules need to be setup to allow these messages to be routed from the external to the exchange box which is behind ISA? Is it as simle as setting up an access rule to allow inbound STMP protocol on port 25 and point it to the IP of the exchange box? Thanks again.
Shockey
ASKER
Inbarasan,
I cannot enable the sender filter to stop traffic from postmaster@isaserver.domai
I cannot enable the sender filter to stop traffic from postmaster@isaserver.domai
If you don't need to send mail thru that IIS SMTP Service, you can change the outbound settings to use a bogus port, such as 2525.
Then use a firewall or virus software port blocker to prevent outbound data on port 2525.
You have effectively killed the ability of the SMTP Service to send mail. Then tweak your retry options to expire the outbound messages quickly.
If you do need to send mail from that server, add a second SMTP Server instance, and set it up on a different IP or port (perhaps 587) and do NOT allow anonymous connections to it.
Then use a firewall or virus software port blocker to prevent outbound data on port 2525.
You have effectively killed the ability of the SMTP Service to send mail. Then tweak your retry options to expire the outbound messages quickly.
If you do need to send mail from that server, add a second SMTP Server instance, and set it up on a different IP or port (perhaps 587) and do NOT allow anonymous connections to it.
It is advised that you use your ISA as a true firewall not running any SMTP proxy.
Now when you run an IIS SMTP component on your ISA box, it becoms really difficult to control SPAM. a simple IIS box has very less to almost no defence against SPAM attacks.
There are 2 options that you may wish to use;
1. Remove the SMTP component of ISA and route all inbound port 25 traffic to your exchange 2003 server, which can have connection, recipient, sender and IMF filtering enabled.
2. Have the SMTP on the ISA box but restore to any 2rd aprty checking SPAM on the ISA level.
ISA is supposed to work on the IP level and it really does not make any sense to use SMTP on an ISA box.
Raghu