NDR Attack on ISA SERVER SMTP virtual server.  Need help.

Posted on 2006-11-17
Medium Priority
Last Modified: 2013-11-15
We are currently using ISA 2004 as a proxy and a firewall as our entry point to the outside.  We are running an SMTP virtual server on this ISA box which passes email through to our Exchange 2K3 email server.  We were experiencing NDR attacks on the Exchange server (filling up queues with postmaster NDR messages) so I enabled recipient filtering to filter messages sent to recipients that weren't in the directory.  This cleaned up the overloaded queues on the Exchange server.  However, I have recently noticed that there is a Queue folder in the ISA 2K4 server (inetpub\mailroot) that is also filling up with NDR messages which are being sent from postmaster@isaserver.domain.com.  It appears that this virtual smtp server on the ISA box is under NDR attack as well, however there is not an option in ISA to filter recipients not in the directory.  I also discovered that the Badmail folder on ISA (inetpub\mailroot) got overloaded with over 1 million messages and caused the server to stop working.  I setup a task that runs a script to emtpy that badmail folder to keep this from happening again.  The badmail folder on our Exchange 2K3 server was empty, but the badmail folder on our ISA box was way overloaded.  What should I do to stop the NDR queue buildup on ISA?  Also, I am not 100% sure that I even need to have this virtual SMTP server setup in ISA to pass email to Exchange.  Do I?  Is there another way that ISA needs to be configured to pass outside email to our Exchange box?  Thanks in advance for the help.
Question by:shockey
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2

Expert Comment

ID: 17965519

It is advised that you use your ISA as a true firewall not running any SMTP proxy.

Now when you run an IIS SMTP component on your ISA box, it becoms really difficult to control SPAM. a simple IIS box has very less to almost no defence against SPAM attacks.

There are 2 options that you may wish to use;

1. Remove the SMTP component of ISA and route all inbound port 25 traffic to your exchange 2003 server, which can have connection, recipient, sender and IMF filtering enabled.
2. Have the SMTP on the ISA box but restore to any 2rd aprty checking SPAM on the ISA level.

ISA is supposed to work on the IP level and it really does not make any sense to use SMTP on an ISA box.


Author Comment

ID: 17965670
I should have clarified we are running the SMTP virtual server in the IIS component of the ISA Server machine.  We have an inbound SMTP allow rule setup in ISA to allow traffic on port 25 to come in to the IP address of the ISA server.  Is this not correct?  Should I removed the SMTP virtual server from the ISA Server and change the rule to point this inbound traffic on port 25 to the Exchange server's IP address?
LVL 14

Expert Comment

ID: 17965879
Dear shockey,
It is not possible to control SPAM even if you use ISA as your incoming SMTP Gateway. You may buy some third party tools like Trend micro, surfcontrol to control the SPAM. or you can enable sender filtering and block the domain postmaster@isaserver.domain.com. This will stop these mails.

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.


Expert Comment

ID: 17965992
Hi shockey,

Try enabling the tarpit feature.

Copyrighted content removed by sembee.



Accepted Solution

Exchgen earned 500 total points
ID: 17966278

You are right... just get rid of the SMTP virtual server.. and do all the filtering on the exchange 2003 BOX.


Expert Comment

ID: 17968063
Oh my bad sorry for posting !

Author Comment

ID: 18028395
I am already using the IMF filtering on the Exchange box.  I am also using recipient filtering to filter messages sent to recipients that weren't in the directory.  I am also using the tarpit feature.  The problem originally was that the Exchange box was getting overloaded with these queues, enabling the above features has stopped this, however now the ISA box is getting overloaded with these cues becuase it is setup to use a virtual SMTP to route mail through to the exchange box, this was setup based on an article published online from Shinder (ISA KING).  
The question that now exists is:  Do I need to have an SMTP virtual server setup in the IIS component of the ISA Server machine in order to get outside email into the exchange box?  If not, what steps/rules need to be setup to allow these messages to be routed from the external to the exchange box which is behind ISA?  Is it as simle as setting up an access rule to allow inbound STMP protocol on port 25 and point it to the IP of the exchange box?  Thanks again.


Author Comment

ID: 18028418

I cannot enable the sender filter to stop traffic from postmaster@isaserver.domain.com, because the sender filter features are on the exchange box, which is behind the ISA box.  These messages are being sent out from ISA via it's IIS SMTP virtual server.  As far as I can tell they are not being routed through exchange at all.  

Expert Comment

ID: 21676934
If you don't need to send mail thru that IIS SMTP Service, you can change the outbound settings to use a bogus port, such as 2525.

Then use a firewall or virus software port blocker to prevent outbound data on port 2525.  

You have effectively killed the ability of the SMTP Service to send mail.  Then tweak your retry options to expire the outbound messages quickly.

If you do need to send mail from that server, add a second SMTP Server instance, and set it up on a different IP or port (perhaps 587) and do NOT allow anonymous connections to it.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
Microsoft will be releasing the Windows 10 Creators Update in just a matter of weeks. Are you prepared? Follow these steps to ensure everything goes smoothly and you don't lose valuable data on your PC.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question