llarava
asked on
Exchange NDRs reports getting to the users mailboxes becasue spam
Scenario:
Exchange 2003 Ent (Cluster Active-Passive) Clients: Outlook 2003
Problem:
We have some users reporting that they have recevied NDRs letting them know that some of the messages they have sent our there have not being received.
This is cleary spam/email spoofing so that they can cause an DoS via NDR's. Also the NDR messages contains an HTML file attached that has a virus named by Symantec "JS.QsiFrame"
Here is what I think is going on
E-mail virus "X" is on Joe's computer. It harvests all of the e-mail addresses it can find (including yours). It picks one at random and "spoofs" that one as the sender address, thus ensuring Joe doesn't get suspicious seeing the spate of failure messages (because everybody has a bunch of "dead" addresses in their address book). You lucked out being picked as the spoofed address. You don't have a virus. Joe has a virus.
Questions:
1.) Does anyone know how can I get the number of NDR's that the Exchange server is sending out there? Any other suggestions on how to track this down?
2.) We are currently using Postini as the Enterprise Inbound Spam filter. Does anyone know how can we prevent this from happening again via Postini or any other methods (native to Exchange 2003 or Exchange 2007/2010)
Thank you
This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. {removed email address}
Exchange 2003 Ent (Cluster Active-Passive) Clients: Outlook 2003
Problem:
We have some users reporting that they have recevied NDRs letting them know that some of the messages they have sent our there have not being received.
This is cleary spam/email spoofing so that they can cause an DoS via NDR's. Also the NDR messages contains an HTML file attached that has a virus named by Symantec "JS.QsiFrame"
Here is what I think is going on
E-mail virus "X" is on Joe's computer. It harvests all of the e-mail addresses it can find (including yours). It picks one at random and "spoofs" that one as the sender address, thus ensuring Joe doesn't get suspicious seeing the spate of failure messages (because everybody has a bunch of "dead" addresses in their address book). You lucked out being picked as the spoofed address. You don't have a virus. Joe has a virus.
Questions:
1.) Does anyone know how can I get the number of NDR's that the Exchange server is sending out there? Any other suggestions on how to track this down?
2.) We are currently using Postini as the Enterprise Inbound Spam filter. Does anyone know how can we prevent this from happening again via Postini or any other methods (native to Exchange 2003 or Exchange 2007/2010)
Thank you
This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. {removed email address}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
One more question:
For the time being and just to stop this can I block at the edge level by subject line equals : "Delivery Status Notification (Failure)" This is what we get from this type of spam but I am not sure if that is a standard message for an NDR type.
For the time being and just to stop this can I block at the edge level by subject line equals : "Delivery Status Notification (Failure)" This is what we get from this type of spam but I am not sure if that is a standard message for an NDR type.
DSN = Delivery Status Notification. This is RFC standard so is to be expected.
ASKER
Can we try to search in some way for NRDs without having to forward them somewhere? Perhaps with the Message Tracking Center?