[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


NDR Attack on ISA SERVER SMTP virtual server.  Need help.

Posted on 2006-11-17
Medium Priority
Last Modified: 2013-11-15
We are currently using ISA 2004 as a proxy and a firewall as our entry point to the outside.  We are running an SMTP virtual server on this ISA box which passes email through to our Exchange 2K3 email server.  We were experiencing NDR attacks on the Exchange server (filling up queues with postmaster NDR messages) so I enabled recipient filtering to filter messages sent to recipients that weren't in the directory.  This cleaned up the overloaded queues on the Exchange server.  However, I have recently noticed that there is a Queue folder in the ISA 2K4 server (inetpub\mailroot) that is also filling up with NDR messages which are being sent from postmaster@isaserver.domain.com.  It appears that this virtual smtp server on the ISA box is under NDR attack as well, however there is not an option in ISA to filter recipients not in the directory.  I also discovered that the Badmail folder on ISA (inetpub\mailroot) got overloaded with over 1 million messages and caused the server to stop working.  I setup a task that runs a script to emtpy that badmail folder to keep this from happening again.  The badmail folder on our Exchange 2K3 server was empty, but the badmail folder on our ISA box was way overloaded.  What should I do to stop the NDR queue buildup on ISA?  Also, I am not 100% sure that I even need to have this virtual SMTP server setup in ISA to pass email to Exchange.  Do I?  Is there another way that ISA needs to be configured to pass outside email to our Exchange box?  Thanks in advance for the help.
Question by:shockey
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2

Expert Comment

ID: 17965519

It is advised that you use your ISA as a true firewall not running any SMTP proxy.

Now when you run an IIS SMTP component on your ISA box, it becoms really difficult to control SPAM. a simple IIS box has very less to almost no defence against SPAM attacks.

There are 2 options that you may wish to use;

1. Remove the SMTP component of ISA and route all inbound port 25 traffic to your exchange 2003 server, which can have connection, recipient, sender and IMF filtering enabled.
2. Have the SMTP on the ISA box but restore to any 2rd aprty checking SPAM on the ISA level.

ISA is supposed to work on the IP level and it really does not make any sense to use SMTP on an ISA box.


Author Comment

ID: 17965670
I should have clarified we are running the SMTP virtual server in the IIS component of the ISA Server machine.  We have an inbound SMTP allow rule setup in ISA to allow traffic on port 25 to come in to the IP address of the ISA server.  Is this not correct?  Should I removed the SMTP virtual server from the ISA Server and change the rule to point this inbound traffic on port 25 to the Exchange server's IP address?
LVL 14

Expert Comment

ID: 17965879
Dear shockey,
It is not possible to control SPAM even if you use ISA as your incoming SMTP Gateway. You may buy some third party tools like Trend micro, surfcontrol to control the SPAM. or you can enable sender filtering and block the domain postmaster@isaserver.domain.com. This will stop these mails.

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.


Expert Comment

ID: 17965992
Hi shockey,

Try enabling the tarpit feature.

Copyrighted content removed by sembee.



Accepted Solution

Exchgen earned 500 total points
ID: 17966278

You are right... just get rid of the SMTP virtual server.. and do all the filtering on the exchange 2003 BOX.


Expert Comment

ID: 17968063
Oh my bad sorry for posting !

Author Comment

ID: 18028395
I am already using the IMF filtering on the Exchange box.  I am also using recipient filtering to filter messages sent to recipients that weren't in the directory.  I am also using the tarpit feature.  The problem originally was that the Exchange box was getting overloaded with these queues, enabling the above features has stopped this, however now the ISA box is getting overloaded with these cues becuase it is setup to use a virtual SMTP to route mail through to the exchange box, this was setup based on an article published online from Shinder (ISA KING).  
The question that now exists is:  Do I need to have an SMTP virtual server setup in the IIS component of the ISA Server machine in order to get outside email into the exchange box?  If not, what steps/rules need to be setup to allow these messages to be routed from the external to the exchange box which is behind ISA?  Is it as simle as setting up an access rule to allow inbound STMP protocol on port 25 and point it to the IP of the exchange box?  Thanks again.


Author Comment

ID: 18028418

I cannot enable the sender filter to stop traffic from postmaster@isaserver.domain.com, because the sender filter features are on the exchange box, which is behind the ISA box.  These messages are being sent out from ISA via it's IIS SMTP virtual server.  As far as I can tell they are not being routed through exchange at all.  

Expert Comment

ID: 21676934
If you don't need to send mail thru that IIS SMTP Service, you can change the outbound settings to use a bogus port, such as 2525.

Then use a firewall or virus software port blocker to prevent outbound data on port 2525.  

You have effectively killed the ability of the SMTP Service to send mail.  Then tweak your retry options to expire the outbound messages quickly.

If you do need to send mail from that server, add a second SMTP Server instance, and set it up on a different IP or port (perhaps 587) and do NOT allow anonymous connections to it.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question