NDR Attack on ISA SERVER SMTP virtual server.  Need help.

Posted on 2006-11-17
Last Modified: 2013-11-15
We are currently using ISA 2004 as a proxy and a firewall as our entry point to the outside.  We are running an SMTP virtual server on this ISA box which passes email through to our Exchange 2K3 email server.  We were experiencing NDR attacks on the Exchange server (filling up queues with postmaster NDR messages) so I enabled recipient filtering to filter messages sent to recipients that weren't in the directory.  This cleaned up the overloaded queues on the Exchange server.  However, I have recently noticed that there is a Queue folder in the ISA 2K4 server (inetpub\mailroot) that is also filling up with NDR messages which are being sent from  It appears that this virtual smtp server on the ISA box is under NDR attack as well, however there is not an option in ISA to filter recipients not in the directory.  I also discovered that the Badmail folder on ISA (inetpub\mailroot) got overloaded with over 1 million messages and caused the server to stop working.  I setup a task that runs a script to emtpy that badmail folder to keep this from happening again.  The badmail folder on our Exchange 2K3 server was empty, but the badmail folder on our ISA box was way overloaded.  What should I do to stop the NDR queue buildup on ISA?  Also, I am not 100% sure that I even need to have this virtual SMTP server setup in ISA to pass email to Exchange.  Do I?  Is there another way that ISA needs to be configured to pass outside email to our Exchange box?  Thanks in advance for the help.
Question by:shockey
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2

Expert Comment

ID: 17965519

It is advised that you use your ISA as a true firewall not running any SMTP proxy.

Now when you run an IIS SMTP component on your ISA box, it becoms really difficult to control SPAM. a simple IIS box has very less to almost no defence against SPAM attacks.

There are 2 options that you may wish to use;

1. Remove the SMTP component of ISA and route all inbound port 25 traffic to your exchange 2003 server, which can have connection, recipient, sender and IMF filtering enabled.
2. Have the SMTP on the ISA box but restore to any 2rd aprty checking SPAM on the ISA level.

ISA is supposed to work on the IP level and it really does not make any sense to use SMTP on an ISA box.


Author Comment

ID: 17965670
I should have clarified we are running the SMTP virtual server in the IIS component of the ISA Server machine.  We have an inbound SMTP allow rule setup in ISA to allow traffic on port 25 to come in to the IP address of the ISA server.  Is this not correct?  Should I removed the SMTP virtual server from the ISA Server and change the rule to point this inbound traffic on port 25 to the Exchange server's IP address?
LVL 14

Expert Comment

ID: 17965879
Dear shockey,
It is not possible to control SPAM even if you use ISA as your incoming SMTP Gateway. You may buy some third party tools like Trend micro, surfcontrol to control the SPAM. or you can enable sender filtering and block the domain This will stop these mails.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 17965992
Hi shockey,

Try enabling the tarpit feature.

Copyrighted content removed by sembee.



Accepted Solution

Exchgen earned 250 total points
ID: 17966278

You are right... just get rid of the SMTP virtual server.. and do all the filtering on the exchange 2003 BOX.


Expert Comment

ID: 17968063
Oh my bad sorry for posting !

Author Comment

ID: 18028395
I am already using the IMF filtering on the Exchange box.  I am also using recipient filtering to filter messages sent to recipients that weren't in the directory.  I am also using the tarpit feature.  The problem originally was that the Exchange box was getting overloaded with these queues, enabling the above features has stopped this, however now the ISA box is getting overloaded with these cues becuase it is setup to use a virtual SMTP to route mail through to the exchange box, this was setup based on an article published online from Shinder (ISA KING).  
The question that now exists is:  Do I need to have an SMTP virtual server setup in the IIS component of the ISA Server machine in order to get outside email into the exchange box?  If not, what steps/rules need to be setup to allow these messages to be routed from the external to the exchange box which is behind ISA?  Is it as simle as setting up an access rule to allow inbound STMP protocol on port 25 and point it to the IP of the exchange box?  Thanks again.


Author Comment

ID: 18028418

I cannot enable the sender filter to stop traffic from, because the sender filter features are on the exchange box, which is behind the ISA box.  These messages are being sent out from ISA via it's IIS SMTP virtual server.  As far as I can tell they are not being routed through exchange at all.  

Expert Comment

ID: 21676934
If you don't need to send mail thru that IIS SMTP Service, you can change the outbound settings to use a bogus port, such as 2525.

Then use a firewall or virus software port blocker to prevent outbound data on port 2525.  

You have effectively killed the ability of the SMTP Service to send mail.  Then tweak your retry options to expire the outbound messages quickly.

If you do need to send mail from that server, add a second SMTP Server instance, and set it up on a different IP or port (perhaps 587) and do NOT allow anonymous connections to it.

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
how to add IIS SMTP to handle application/Scanner relays into office 365.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question