Solved

NDR Attack on ISA SERVER SMTP virtual server.  Need help.

Posted on 2006-11-17
11
1,126 Views
Last Modified: 2013-11-15
We are currently using ISA 2004 as a proxy and a firewall as our entry point to the outside.  We are running an SMTP virtual server on this ISA box which passes email through to our Exchange 2K3 email server.  We were experiencing NDR attacks on the Exchange server (filling up queues with postmaster NDR messages) so I enabled recipient filtering to filter messages sent to recipients that weren't in the directory.  This cleaned up the overloaded queues on the Exchange server.  However, I have recently noticed that there is a Queue folder in the ISA 2K4 server (inetpub\mailroot) that is also filling up with NDR messages which are being sent from postmaster@isaserver.domain.com.  It appears that this virtual smtp server on the ISA box is under NDR attack as well, however there is not an option in ISA to filter recipients not in the directory.  I also discovered that the Badmail folder on ISA (inetpub\mailroot) got overloaded with over 1 million messages and caused the server to stop working.  I setup a task that runs a script to emtpy that badmail folder to keep this from happening again.  The badmail folder on our Exchange 2K3 server was empty, but the badmail folder on our ISA box was way overloaded.  What should I do to stop the NDR queue buildup on ISA?  Also, I am not 100% sure that I even need to have this virtual SMTP server setup in ISA to pass email to Exchange.  Do I?  Is there another way that ISA needs to be configured to pass outside email to our Exchange box?  Thanks in advance for the help.
0
Comment
Question by:shockey
  • 3
  • 2
  • 2
  • +2
11 Comments
 
LVL 9

Expert Comment

by:Exchgen
ID: 17965519
Hello,

It is advised that you use your ISA as a true firewall not running any SMTP proxy.

Now when you run an IIS SMTP component on your ISA box, it becoms really difficult to control SPAM. a simple IIS box has very less to almost no defence against SPAM attacks.

There are 2 options that you may wish to use;

1. Remove the SMTP component of ISA and route all inbound port 25 traffic to your exchange 2003 server, which can have connection, recipient, sender and IMF filtering enabled.
2. Have the SMTP on the ISA box but restore to any 2rd aprty checking SPAM on the ISA level.

ISA is supposed to work on the IP level and it really does not make any sense to use SMTP on an ISA box.

Raghu
0
 

Author Comment

by:shockey
ID: 17965670
I should have clarified we are running the SMTP virtual server in the IIS component of the ISA Server machine.  We have an inbound SMTP allow rule setup in ISA to allow traffic on port 25 to come in to the IP address of the ISA server.  Is this not correct?  Should I removed the SMTP virtual server from the ISA Server and change the rule to point this inbound traffic on port 25 to the Exchange server's IP address?
0
 
LVL 14

Expert Comment

by:inbarasan
ID: 17965879
Dear shockey,
It is not possible to control SPAM even if you use ISA as your incoming SMTP Gateway. You may buy some third party tools like Trend micro, surfcontrol to control the SPAM. or you can enable sender filtering and block the domain postmaster@isaserver.domain.com. This will stop these mails.

Cheers!
0
 
LVL 9

Expert Comment

by:trenes
ID: 17965992
Hi shockey,

Try enabling the tarpit feature.

Copyrighted content removed by sembee.

Regards,

Trenes
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 9

Accepted Solution

by:
Exchgen earned 250 total points
ID: 17966278
Hey,

You are right... just get rid of the SMTP virtual server.. and do all the filtering on the exchange 2003 BOX.

Raghu
0
 
LVL 9

Expert Comment

by:trenes
ID: 17968063
Oh my bad sorry for posting !
0
 

Author Comment

by:shockey
ID: 18028395
I am already using the IMF filtering on the Exchange box.  I am also using recipient filtering to filter messages sent to recipients that weren't in the directory.  I am also using the tarpit feature.  The problem originally was that the Exchange box was getting overloaded with these queues, enabling the above features has stopped this, however now the ISA box is getting overloaded with these cues becuase it is setup to use a virtual SMTP to route mail through to the exchange box, this was setup based on an article published online from Shinder (ISA KING).  
The question that now exists is:  Do I need to have an SMTP virtual server setup in the IIS component of the ISA Server machine in order to get outside email into the exchange box?  If not, what steps/rules need to be setup to allow these messages to be routed from the external to the exchange box which is behind ISA?  Is it as simle as setting up an access rule to allow inbound STMP protocol on port 25 and point it to the IP of the exchange box?  Thanks again.

Shockey
0
 

Author Comment

by:shockey
ID: 18028418
Inbarasan,

I cannot enable the sender filter to stop traffic from postmaster@isaserver.domain.com, because the sender filter features are on the exchange box, which is behind the ISA box.  These messages are being sent out from ISA via it's IIS SMTP virtual server.  As far as I can tell they are not being routed through exchange at all.  
0
 

Expert Comment

by:sdrnascent
ID: 21676934
If you don't need to send mail thru that IIS SMTP Service, you can change the outbound settings to use a bogus port, such as 2525.

Then use a firewall or virus software port blocker to prevent outbound data on port 2525.  

You have effectively killed the ability of the SMTP Service to send mail.  Then tweak your retry options to expire the outbound messages quickly.

If you do need to send mail from that server, add a second SMTP Server instance, and set it up on a different IP or port (perhaps 587) and do NOT allow anonymous connections to it.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now