NDR Attack on ISA SERVER SMTP virtual server. Need help.
Posted on 2006-11-17
We are currently using ISA 2004 as a proxy and a firewall as our entry point to the outside. We are running an SMTP virtual server on this ISA box which passes email through to our Exchange 2K3 email server. We were experiencing NDR attacks on the Exchange server (filling up queues with postmaster NDR messages) so I enabled recipient filtering to filter messages sent to recipients that weren't in the directory. This cleaned up the overloaded queues on the Exchange server. However, I have recently noticed that there is a Queue folder in the ISA 2K4 server (inetpub\mailroot) that is also filling up with NDR messages which are being sent from firstname.lastname@example.org. It appears that this virtual smtp server on the ISA box is under NDR attack as well, however there is not an option in ISA to filter recipients not in the directory. I also discovered that the Badmail folder on ISA (inetpub\mailroot) got overloaded with over 1 million messages and caused the server to stop working. I setup a task that runs a script to emtpy that badmail folder to keep this from happening again. The badmail folder on our Exchange 2K3 server was empty, but the badmail folder on our ISA box was way overloaded. What should I do to stop the NDR queue buildup on ISA? Also, I am not 100% sure that I even need to have this virtual SMTP server setup in ISA to pass email to Exchange. Do I? Is there another way that ISA needs to be configured to pass outside email to our Exchange box? Thanks in advance for the help.