Solved

Exchange is generating a lot of NDRs from PostMaster@domain.com

Posted on 2008-10-18
20
1,839 Views
Last Modified: 2012-06-27
The Exchange queue is getting filled up with alot of NDRshh from postmaster@domail.com. How can I stop these from generating?
0
Comment
Question by:enlightenedinc
  • 9
  • 9
20 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 22749073

They are most likely being generated by people attempting to relay mail through your server, or someone attempting to guess and determine what email addresses exist on your email domain.

You should enable both Recipient Filtering and Tarpitting as per http://www.amset.info/exchange/filter-unknown.asp. This will mean any emails destined for an email address your server is not responsible for will be dropped before an NDR can be sent, and the tarpitting increases the time it would take for a spammer to guess the addresses on your network.

Some people would say to disable NDRs. This is NOT an option and NDRs must not be disabled to keep your server in conformance with the SMTP RFCs.

-tigermatt
0
 

Author Comment

by:enlightenedinc
ID: 22749114
The postmaster NDR is trying to send the NDR to either survey@walmart.com and marketing@walmart.com. These are generating a lot of emails to people we donot know. How can I stop it from generating these emails to go out.
In the queue it says the sender is survey@walmart.com. It is trying to send to an unknown domain. Then i get the NDR. or some of the messages actually do show as being delivered successfully.

I do have receipent filtering on and tarpitting. How would I know if tarpitting actually is working?

Also, I have verified my Exchange server is not an open relay.

I think this might be causing another issue I am experiencing.

Another thing, do you know how I can identify if a mailbox or system has been compromised? I have been very unsuccessful in thying to identify the system/mailbox that might have started all of this.

HELP!!!
0
 
LVL 9

Expert Comment

by:Housammuhanna
ID: 22749221
an easy solution is to enable SMTP Diag Log on the default SMTP VS and see  the result of this relay
have a SMTP filter
 
0
 

Author Comment

by:enlightenedinc
ID: 22749489
Here are some of the messages from the Event Viewer MSExchangeTransport: NDR
Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      NDR
Event ID:      3022
Date:            10/18/2008
Time:            3:21:21 PM
User:            N/A
Computer:      NLIGHTEXCH
Description:
A non-delivery report with a status code of 5.5.0 was generated for recipient rfc822;debebj@aol.com (Message-ID <NLIGHTEXCHExkiyPoHZ000000a7@mail.domain.com>).  
Cause:  This message indicates a generic protocol error (SMTP error).  For example, the remote SMTP responds to an issued EHLO with a 500 level error and the sending system will QUIT the connection and report this with NDR indicating the remote SMTP server canÆt handle the protocol.    
Solution:  View the SMTP log or run a netmon trace to see why the remote SMTP server rejects the protocol request.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Here is an STMP Protocol message:
Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7512
Date:            10/18/2008
Time:            3:21:32 PM
User:            N/A
Computer:      NLIGHTEXCH
Description:
The message with ID  <5c41b883$68ddd1bb$7055e0ab@tequil>, P1 From smtp:tequil@libero.it, Subject  Hello, from remote host "servername"   was Rejected/Deleted by Intelligent Message Filter. This is an informational event and does not indicate an error.

For more information, click http://www.microsoft.com/contentredirect.asp.

This is one of the messages from the email address wiht walmart.com (this is causing a big problem)
Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            10/18/2008
Time:            3:16:00 PM
User:            N/A
Computer:      NLIGHTEXCH
Description:
This is an SMTP protocol error log for virtual server ID 1, connection #5402. The remote host "64.136.52.37", responded to the SMTP command "mail" with "550 Access denied...1e203d6dcd6db5207919559d64e48565e4510100712575493074d594d044a17d217da134f4a47d9dbdd4cd7d...  ". The full command sent was "MAIL FROM:<survey@walmart.com>  ".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.


Also, is there a way to determine who or what (machine or mailbox) started this?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 22749773

Looking at those warning messages it would appear that somebody is trying to spoof the sender of messages as Walmart, and probably relay them through your server. It is incredibly easy to spoof the From address on an email; the fact the sender of the mail appears to be using a 'Juno Online Services' IP address would further indicate this.

The next troubleshooting step I would suggest would be to enable Message Tracking, and actually see where these messages are being sent to. Are they an internal address on your network, or external? http://www.amset.info/exchange/message-tracking.asp

The other step I would like you to take is to perform a manual telnet test to see whether you are indeed an Open Relay. I know you have already confirmed this, but a second clarification wouldn't go amiss. http://www.amset.info/exchange/telnet-test.asp

-tigermatt
0
 

Author Comment

by:enlightenedinc
ID: 22750959
Ok. The messages are trying to be send to external addresses from survey@walmart.com or marketing@walmart.com. (See attached file)

I have confirmed the Exchange server is not an open relay:
mail from:address@testdomain.com
501 5.5.4 Invalid Address
mail from:address@testdomain.com
250 2.1.0 address@testdomain.com....Sender OK
rcpt to:address@anotherdomain.com
550 5.7.1 Unable to relay for address@anotherdomain.com
tracking-message.bmp
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 22751689

Looking at your output from a Telnet Test, these NDRs should not be being generated. The telnet test shows that mail to external servers is being rejected without even being accepted, so no NDRs should be generated by Exchange.

Do you still see the queues fill when all the workstations on the network are switch off?
0
 

Author Comment

by:enlightenedinc
ID: 22752269
I cannot switch off all my workstations at the moment.

But around 2 am, my Exchange server lost connection to the Internet due to my ISP going down. I reviewed the logs and saw only a handful of NDRs recorded. There was no other activity on for STMP Protocol.  After I got the server back on the Internet, the STMP Protocol (MSExchagneTransport) errors started up again. Take a look:
Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            10/19/2008
Time:            8:51:54 AM
User:            N/A
Computer:      NLIGHTEXCH
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #6290. The remote host "206.171.125.194", responded to the SMTP command "rcpt" with "450 sorry, no mailbox found by that name. (#4.7.1)  ". The full command sent was "RCPT TO:<gail@nctimes.net>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            10/19/2008
Time:            8:51:45 AM
User:            N/A
Computer:      NLIGHTEXCH
Description:
This is an SMTP protocol error log for virtual server ID 1, connection #6289. The remote host "216.253.154.120", responded to the SMTP command "rcpt" with "554 cuda_nsu 5.7.1 <iry@nmdi.com>: Relay access denied  ". The full command sent was "RCPT TO:<iry@nmdi.com>  ".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            10/19/2008
Time:            8:53:42 AM
User:            N/A
Computer:      NLIGHTEXCH
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #6319. The remote host "206.139.32.1", responded to the SMTP command "rcpt" with "450 4.1.1 <vorlon@pdn.net>: Recipient address rejected: User unknown in local recipient table  ". The full command sent was "RCPT TO:<vorlon@pdn.net>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

(I am getting a lot of the errors listed above) currently in the queue I have around 1000 entries in the queue. The message for walmart.com is filling up to aroun 20000 messages. I have frozen majority of these entries to stop them from going out. I have noticed that some invalid messages are being sent.

What should I do?  I do not want our server to be blacklisted.

Thanks

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      NDR
Event ID:      3030
Date:            10/19/2008
Time:            9:24:56 AM
User:            N/A
Computer:      NLIGHTEXCH
Description:
A non-delivery report with a status code of 4.0.0 was generated for recipient rfc822;blaise.donhouede@laposte.net (Message-ID <NLIGHTEXCHRhQdOgl4r00000361@mail.NLIGHTENED.COM>).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: d1 02 04 c0               Ñ..À    

0
 
LVL 58

Expert Comment

by:tigermatt
ID: 22752464

I'm going to get you to check some of the configuration to see that everything is set properly.

In Exchange System Manager, first check the SMTP Virtual Server. (Servers > <server name> > Protocols > SMTP > Default SMTP Virtual Server. In Properties, go to 'Advanced' and then press Edit. Ensure the Sender, Recipient and Connection Filters are enabled. Press OK twice.

Now go to Access tab > Authentication. You need to have Anonymous Authentication enabled here. If you press the 'Users' button, you should see 'Authenticated Users' is granted ONLY Submit Permission, and all Relay Permissions are not unchecked. OK twice.

Back on the 'Access' tab, click 'Connection'. You should have selected 'All but the list below', and then have no entries in the list. Press OK.

Now press the 'Relay' button. The option 'Only the list below' should be selected, and the entries in the Computers list should be blank. The checkbox 'Allow all computers which successfully authenticate to relay' box should be UNCHECKED. On the 'Users' button, you should again see 'Authenticated Users' has ONLY Submit Permission.

Verify again that in Global Settings, Message Delivery, you have Recipient Filtering enabled.

-tigermatt
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 

Author Comment

by:enlightenedinc
ID: 22752695
Ok. I had all the settings as you listed except "The checkbox 'Allow all computers which successfully authenticate to relay' box should be UNCHECKED. On the 'Users' button, you should again see 'Authenticated Users' has ONLY Submit Permission."  This was checked. I unchecked it and gave the Authenicated user submit permission.


Can you please explain the purpose for this change?

Thanks
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 22752789

On the Relay section, you have a checkbox 'Allow all computers which successfully authenticate to relay'. I assume at present you have this checked. Essentially what this means is any computer which can successfully authenticate with your server may be able to relay through it. While this is useful in some cases, it is NOT useful on your Default SMTP Virtual Server. This is because this VS has Anonymous Authentication enabled (it must, for internet email to flow in to your mailboxes), so ANY computer can theoretically authenticate anonymously, and with that checkbox checked, those computers will have Relay rights. It must be unchecked at all costs.

As for the Authenticated Users group on the Users tab, they could theoretically have Relay Permissions if they wished, but it is unnecessary. Since nobody should have a POP3/SMTP setup going through the Exchange Server, there is no need to grant relay privileges, and this simply goes back to the old security statement of 'don't give more privileges than someone needs'.

-tigermatt
0
 

Author Comment

by:enlightenedinc
ID: 22752805
OK.

By denying access to the relay permissions, will users still be able to pop/smtp using their mobile device?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 22752822
I presume they are all sending out through this single SMTP connector. By making these changes, you will most likely prevent their Mobile Devices using SMTP to relay through the Exchange Server.

However, you should not have Relay enabled for Anonymous Users anyway, which means unchecking the 'All computers which successfully authenticate' checkbox. However, when you press the Users button, you should be safe leaving the Authenticated Users group with 'Relay' permissions Granted.

Alternatively, a much better approach would be to have a new SMTP Virtual Server configured on a different IP or port number. This VS would have Anonymous Authentication turned off, requiring users to authenticate to relay through it. I won't go into this here though.

-tigermatt
0
 

Author Comment

by:enlightenedinc
ID: 22752846
Now. I did run the aqadmcli.exe tool and deleted the survey@walmart.com, marketing@walmart.com and postmaster@mydomain.com. After I deleted the email addresses, the NDRs and invalid email messages stopped filling up the queue. I also had to make another change to the Exchange server. My ISP went down, so I had to change the external IP address to the server. But , this was before I ran the tool. Do you think they are related or two seperate incidences? Thanks
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 22753142

From what you describe it would seem the changing of the external IP address is what is related to the stopping of the queues filling.

The spammer(s) would have found your server by two possible methods. The most likely one is they did a port scan of your external IP block on port 25, and found they were able to relay mail through your server to these external systems. Thus, that IP was noted, and your server ended up being used to send spam.

Alternatively, and much less likely, the spammer used your MX record (mail.domain.com, usually) to determine the IP of your server, and spam you based on that.

If the problem is still there, it will only be a matter of time before someone (or something) detects your server and its new IP, and the same behaviour occurs again.

-tigermatt
0
 

Author Comment

by:enlightenedinc
ID: 22764004
So, how can I avoid this from happening again. The external IP is a Nat'd address on my network. How can I avoid the spammers from discovering the new IP address. I also have a reverse dns configured which points to the server's external IP address. What should I do?
Thanks
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 22764871

You can't do anything to stop them finding you, but what you can do is stop them knocking your server over. You are wide open to the Internet, and you must be in order for you to receive email. Any one could do a port scan on your IP, but if they figure that your server is secured, they will not even look deeper into it and just look at the next one.

Matt
0
 

Author Comment

by:enlightenedinc
ID: 22766474
What else can i do to make my server even more secure?

We determined the server is not open to relay messages. It is behind a firewall to handle any intrusions. I have a virus protection, malware and spybot software installed. What else should be done? Thanks for all your help.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 22769269

The main point is to ensure your virus definitions and software on the server is kept up-to-date. Use the Anti Virus's built-in Update tool to update on a scheduled basis, and Windows Update to update the Windows Components regularly (perhaps once a week).

A critical point people think of is people outside hacking the server, but they forget about attacks internally. All users should be forced to have strong passwords - at least 7 characters in length - and you should only give users *just* enough permissions for them to access network services; don't give them too many privileges they don't need, since this poses a security risk on their account.

I would block port 25 outbound from ALL computers on the network EXCEPT the Exchange Server; this will mean if any spam-sending bot gets itself onto any of the network workstations, it can't spam out using a built-in spam engine and get you blacklisted.

-tigermatt
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now