asked on

Email Domain Spoof , getting lot of NDR

I am using exchange 2003 server and on another box i have symantec brightmail 6.0

Recently i been getting a lot of spoofed NDR from other servers , i think someone grab my domain and send out massive spam emails.
How do i solve this?

Currently my symantec bright 6.0 directory harvesting is not working and i never use any of the exchange anti spam features because all mails
will go thru my brightmail spam filter first

debuggerau

There is nothing you could do except provide a filter to reject the non delivery reports.
But then real NDR's wouldnt get through..

So I tell my staff when they are at the receiving end of an attack that the best way to rid yourself of spam and such is to change their email address...

Needless to say, they put up with it, and in a few hours it seems to disappear...

ISP's have hooks to shutdown these kinds of floods, so shouldnt last too long.

ASKER CERTIFIED SOLUTION

vsganesh

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

vsganesh

About BATV (Bounce Address Tag Verification)
How is works: The Email gateway system will generate the "Tag number" for each emails that is going out to the internet. Whenever this email gateway system receives the NDR message, it will check whether the origin of the email is delivered by the same email gateway system by verfiying the "Tag number".

The following vendors have implemented the BATV function with their products and i am sure more vendors (apart from the below list) are started intergrating the BATV now.
Exim
ALT-N
Cellopoint
Ironport
Sendmail
NetQmail
Postfix

kanashii23

ASKER

Problem not solved

vsganesh

I have posted solution to stop the spoof NDR messge but there is no one reponse from the author!
Btw, we had similiar kind of email setup earlier as what author mentioned here and my solution is based on what we have did to get it resolved in our environement.

kanashii23

ASKER

The solution is based on getting another appliance which i do not want to.

elmtree_support_team

There are 3 things we can determine about spoofed NDR's:

1. Most NDRs can be filtered using a small set of subject phrases.

2. Most legitimate NDRs will reference the IP address or Postmaster account of our mailserver somewhere in the message header or body.

3. Spoof generated NDRs will reference the FQDN of our mailserver (as configured in the advanced Virtual SMTP properties) in the message header as the final recipient, but never the IP address or Postmaster account.

Using these premises create a simple Outlook rule, export it to a file and distributed it to your affected users along with import instructions. The rule runs server-side so once its entered theres no further reliance on the Outlook client.

Apply this rule after the message arrives
with undeliverable or undelivered mail or delivery failed or delivery failure or failure notice or returned mail or notification (failure) in the subject or anything else you can think of that is the subject of a repeated NDR
move it to the Junk E-mail folder
except if the body contains your mailserver IP address
or except if the message header contains your mailserver IP address or postmaster@yourdomain

You can go even further on the Outlook client and right click on the junk email folder and in the archive options you can automatically permanently delete emails that are a certain age. This will reduce the size of the user mailbox while still getting rid of the NDR spam.

By using the exceptions, all valid NDR will still make it to the inbox.

-Jason