Ipsec60
asked on
Spam mail as NDRs(Non Delivery Reports)
Over the past few weeks, I noticed that Users have been receiving strange emails, namely NDRs (Non Delivery Reports), stating that a message that they allegedly sent did not reach the recipient. This recipient is an address that user has not probably never heard of, and User definitely did not send any email to that address.
I think this is a new spamming technique, whereby to draw users attention and bypass spam filters, the spammer sends the message as an NDR (Non Delivery Report). In other words, my user did not send the original email to that unknown recipient. The message succeeds in bypassing my spam filter, and sure enough, it is drawing the attention of the recipient (in this case, users) to open the undelivered message. For my network I am using Mail Essentials version 11 which is installed in my ISA server.
My schenario is Internet--ISA(ME)-Front End server-Back End(Exchange cluster).
Please suggest me what configuration do I need in Mail Essentials to detect and delete those e-mail or I need to install anything else for detecting and deleting those e-mail.
I think this is a new spamming technique, whereby to draw users attention and bypass spam filters, the spammer sends the message as an NDR (Non Delivery Report). In other words, my user did not send the original email to that unknown recipient. The message succeeds in bypassing my spam filter, and sure enough, it is drawing the attention of the recipient (in this case, users) to open the undelivered message. For my network I am using Mail Essentials version 11 which is installed in my ISA server.
My schenario is Internet--ISA(ME)-Front End server-Back End(Exchange cluster).
Please suggest me what configuration do I need in Mail Essentials to detect and delete those e-mail or I need to install anything else for detecting and deleting those e-mail.
What I have seen in this case is someone is sending email claiming to be from your user or many users to a non-existant address on another mailserver which will in turn send an NDR to your user.
One effective way of trying to work on this is SPF records. These are not new, but not being used everywhere but could help. What they are is records in DNS that tells other mailservers what servers are allowed to send mail for your domain and can help in situations where someone is sending email forged as a user from your domain.
It is really easy to setup it is just a TXT entry in DNS formatted a special way. Here is a wizard that will tell you exactly what to put in the record.
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
One effective way of trying to work on this is SPF records. These are not new, but not being used everywhere but could help. What they are is records in DNS that tells other mailservers what servers are allowed to send mail for your domain and can help in situations where someone is sending email forged as a user from your domain.
It is really easy to setup it is just a TXT entry in DNS formatted a special way. Here is a wizard that will tell you exactly what to put in the record.
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
ASKER
Dear Simon,
I have posted to GFI and their reply is as below:
"What you are reporting, isn't a spam attack against your own users, but the result of spam against another company.
What is happening, is that spammers are using email addresses from your company as the return email address in their spam. This spam is being picked up by the other company (most lilkely due to the email to address being non-existent) and being denied. This other company has their anti-spam set up to send a NDR which is getting sent to your company.
Unfortunately this NDR email is actually legitimate email (even if the original spam mail wasn't) and thus not straightforward to block. It can also cause issues, as blocking NDR's means your users will not know when they have mis-typed an email address in their own emails.
It can be blocked by Mailessentials by setting up a Keyword Subject block. NDRs usually have a very standard format and layout. Look at the NDR's you are recieving, and it should be possible to identify possible keywords to block."
Dear MATTHEW_L,
I have tested following the URL you suggested but if i enable SPF records for my domain how can it be effective for me. Would you please suggest me for more understanding.
I have posted to GFI and their reply is as below:
"What you are reporting, isn't a spam attack against your own users, but the result of spam against another company.
What is happening, is that spammers are using email addresses from your company as the return email address in their spam. This spam is being picked up by the other company (most lilkely due to the email to address being non-existent) and being denied. This other company has their anti-spam set up to send a NDR which is getting sent to your company.
Unfortunately this NDR email is actually legitimate email (even if the original spam mail wasn't) and thus not straightforward to block. It can also cause issues, as blocking NDR's means your users will not know when they have mis-typed an email address in their own emails.
It can be blocked by Mailessentials by setting up a Keyword Subject block. NDRs usually have a very standard format and layout. Look at the NDR's you are recieving, and it should be possible to identify possible keywords to block."
Dear MATTHEW_L,
I have tested following the URL you suggested but if i enable SPF records for my domain how can it be effective for me. Would you please suggest me for more understanding.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Simon and Matt for clear understanding regarding SPF record for my domain.
Search this site for NDR attack to see the other side of the coin - which is where someone's server is being used to send the messages.
Unfortunately your server has to accept the NDR messages. Any attempt to block the messages will get you blacklisted very quickly. That is why the spammers are using the technique. Trying to filter them is almost impossible - I have yet to find an effective way.
Have you asked GFI?
Simon.