Exchange NDRs reports getting to the users mailboxes becasue spam

llarava
llarava used Ask the Experts™
on
Scenario:

Exchange 2003 Ent (Cluster Active-Passive) Clients: Outlook 2003

Problem:

We have some users reporting that they have recevied NDRs letting them know that some of the messages they have sent our there have not being received.

This is cleary spam/email spoofing so that they can cause an DoS via NDR's. Also the NDR messages contains an HTML file attached that has a virus named by Symantec "JS.QsiFrame"

Here is what I think is going on

E-mail virus "X" is on Joe's computer. It harvests all of the e-mail addresses it can find (including yours). It picks one at random and "spoofs" that one as the sender address, thus ensuring Joe doesn't get suspicious seeing the spate of failure messages (because everybody has a bunch of "dead" addresses in their address book). You lucked out being picked as the spoofed address. You don't have a virus. Joe has a virus.

Questions:

1.) Does anyone know how can I get the number of NDR's that the Exchange server is sending out there? Any other suggestions on how to track this down?

2.) We are currently using Postini as the Enterprise Inbound Spam filter. Does anyone know how can we prevent this from happening again via Postini or any other methods (native to Exchange 2003 or Exchange 2007/2010)

Thank you
 

 

 

This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed.        {removed email address}  


Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hi
1. Go to ESM, SMTP virtual server properties, then Messages tab.  put your email address in the box to get a copy of NDRs.  Then you can see how many your dealing with.  2. I'm not up-to-speed with postini.
Barry GillChief of Staff
Commented:
what Richclawson informs will only give you copies of NDR's sent by your Exchange server.

Many times these NDR's are sent by external servers. Your scenario of user gets infected and mail is sent out as addressbookentry@remotedomain is true and is a well documented form of blowback spam/viral payload delivery.

Postini should be blocking these as inbounds for you. Do they not examine weblinks for viral payload?

I work at Mimecast and we are good at handling these because we handle both inbound mail AND outbound mail. It gives us a good perspective on the traffic your users are generating and makes it very easy to see if users are trying to send out spoofed messages. Also, because we handle the outbound delivery, we are able to block these to make sure that you do not propogate traffic like this.

Author

Commented:
Thanks both for your anwser.

Can we try to search in some way for NRDs without having to forward them somewhere? Perhaps with the Message Tracking Center?

Author

Commented:
One more question:

For the time being and just to stop this can I block at the edge level by subject line equals : "Delivery Status Notification (Failure)" This is what we get from this type of spam but I am not sure if that is a standard message for an NDR type.


Barry GillChief of Staff

Commented:
DSN = Delivery Status Notification. This is RFC standard so is to be expected.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial