Exchange 'system administrator' undeliverable messages - can they be generated by spam bounce-backs (reply-to-hijacking)?

Background: We have our own Exchange 2003 server running inhouse. It is behind our firewall - mail does not arrive to it directly, we use POPCon to pull email from POP accounts and pass them on to Exchange, then we use Outlook to connect to exchange. For outgoing email, we have our smarthost set to relay.dnsexit.com. So I don't *think* that we have an open relay (I tested it from http://www.abuse.net/relay.html and it reports "Could not connect, test failed.", which I think is correct, because the server should be completely behind our firewall).

Today we received dozens (hundreds?) of spam bounce-backs from a variety of .ru domains. Normally I wouldn't be concerned about this - someone must be using one of our email addresses as the reply-to on a bunch of spam.

But... what I am concerned about is that some of the bounce-backs look like messages from the Exchange system administrator, e.g. it looks an awful lot like the spam is coming from inside our Exchange box (see attached image).

I have looked at the smtp logs in \system32\logfiles\smtpsvc1\ex*.log, and I don't see any outbound messages to .ru, but I suppose if someone had hijacked this server they could delete from these logs as well...

What I want to verify is this -- can a bounce-back message from the outside world, generate one of these Exchange-like "system administrator" messages in the attached image? Or can these "system administrator" messages only be generated when the original mail was sent outbound from Exchange?

thanks for any help!
-Frank.
ExchangeSystemAdmin.jpg
FDC2005Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
What might be happening is that your system is receiving these rejections notices, but they are from a forged address on your domain. So your mail host then tries to send a notice back to the sender (the RU domain) saying the address doesn't exist. But it can't, since the sender doesn't exist either. Thuis the NDR in your inbox.

You might be able able to avoid this if your email host has some way of confirming what is and isn't a valid address on your domain.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FDC2005Author Commented:
TBone2K - interesting, I don't 100% understand the mechanics but I get the general direction you are going. Here's two more screen snapshots - the first is what I would call a "traditional" bounce-back message... it comes in looking like a message from the outside world (not from Exchange administrator), and is getting sent back to us because someone used our email as the reply-to address on the spam. Note: The 81.xx.xx.xx IP listed in the screen snapshot is not our IP, obviously...

The second is the body of the Exchange System Admin message, the ones that are concerning me.

Based on this additional data does it confirm or deny your hypothesis?

thanks,
-Frank.
OutsideNonDelivery.jpg
ExchangeSystemAdminBody.jpg
paragonsubroCommented:
sounds like a possible reverse NDR attack. If so here was the solution that worked for me previously.


"      We  have a lot of queues on the server to invalid domains.
"      All these were NDRs and we had a Reverse NDR Spam attack.
"      This happens if we have SMTP (inbound and outbound) is open on Firewall and when spammers send mails to nonexistent users in the authoritative domain.
"      There were close to 950 messages in the queues which were NDRs.
"      Installed Anti-Spam agents on the Exchange Server 2007 using ./install-antispamagents command.
"      We then configured Recipient Filtering and Sender Filtering and restarted Transport Service.
"      After this we saw that Reverse NDRs stopped.
FDC2005Author Commented:
It's still not clear to me how to confirm the root cause for these messages, for Exchange 2003.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.