Exchange 2003 NDR email question

It is NDR spam, pure and simple.
Try a 30-day trial of Vamsoft ORF - www.vamsoft.com - it should eliminate the problem very quickly for you and if you decide to keep it after the 30 days, it will only cost you $239.
Brilliant software, small footprint (4Mb) and darn good at killing spam.

We are currently using Postini and they are working on fix but meanwhile I just wanted to stop this. For the time being can we just block inbound email based on the following subject line "Delivery Status Notification (Failure)" which seems to be identified as something this type of NDR spam type uses.

I am afraid that this subject line could be a standard message however I haven't been able to find any documents that refer to it as something standard that the system will use to reply back in case of an NDR.

 

HI, first of all you should check that you are not sending SPAM anymore, since if you received NDRs from other servers it means that you were sending SPAM.

NDRs from external servers can be deleted using Outlook rules (try with the sender addresses or terms in the subject, as Undeliverable.

NDRs from your exchange can be disabled (that´s what I did in mine), because you have two NDRs options that can be annoying, one when exchange tries to send emails to fake domains, and the other one can occur  when you receive fake addresses with your domain, for example pepe@yourdomain.com

Here is what is going on in our side:

-mail virus "X" is on Joe's computer. It harvests all of the e-mail addresses it can find (including your's *CBecker*). It picks one at random and "spoofs" that one as the sender  address, thus ensuring Joe doesn't get suspicious seeing the spate of failure messages (because everybody sometimes have a bunch of "dead" addresses in the address book). You lucked out being picked as the spoofed address. You don't have a virus. Joe's computer has a virus. Nothing I can do on my end we haven't received any suspcious alerts from our AV and we do virus/spam on computers.

We are getting NDRs from external mail servers like:

postmaster@rouse.com
postmaster@rivercoursegolf.com
postmaster@rivercoursegolf.com

How do you disable the NDRs on Exchange 2003? Also if you disable the NDRs how are your users going to know that they have to send the message again or that the message is not delivered? That will kill business at least in my company.

We are blocking at the Edge level with Postini by subject line but do you happen to know if the subject line "Delivery Status Notification (Failure)" is a standard NDR message? I think it has been made up by this type of spam so we may have a chance to filter the inbound mail that has this as part of the subject line while we get a final fix from Postini.

Thank you.

 

I have been only able to find how to disable just a type of NDR:

From Exchange System Manager, Global Settings, Internet Message Format.
Double click on your right. Advanced tab. Uncheck Allow
non-delivery reports.

You mentioned there are two. Can we disable just the NDR that come from external servers?

You should not be blocking NDR messages as that can get you into trouble by you getting blacklisted.
You are receiving the NDR messages because someone is spoofing your email addresses claiming to come from your domain and when they get rejected, you get the NDR messages.
Have you got SPF setup on your domain?
http://www.mxtoolbox.com/spf.aspx
If not, set up a record and then any servers checking against your domain for received mail will know the message is spam and reject it as such, which should cut down on your NDR's.
Visit http://old.openspf.org/wizard.html to setup an SPF record.

Sorry, but you can delete the incomming NDRs and you wont have any blacklisted problem. If you set up your exchange to no send NDRs, you will fix the two situations I mentioned, the one when you send emails to fake domains, and the other when SPAM senrvers sends mails to your domain with fake addresses (your server will send lots of NDRs, and then will have a SPAM behaviour, and you could be included in blacklist servers)

The SPF and RBL etc is done via Postini they also have a system to rate spam etc. There is no way to prevent this since SMTP can spoofed easily specially in a case like the one we are having right now.

Someone is sending emails spoofing and then we get NDRs from external domains with an attachment that contains an infection.

I can't delete NDRs since the sales people will not know if their emails have been received, etc.

I am just trying to determine if I can filter incoming NDRs by the message "Delivery Status Notification (Failure)"

@biaxis - Please read Sembee's comment in the following EE question.  Sembee (AKA Mestha) is an Exchange MVP and knows what he is talking about when it comes to Exchange.
https://www.experts-exchange.com/questions/22089273/Spam-mail-as-NDRs-Non-Delivery-Reports.html
DO NOT BLOCK NDR MESSAGES - YOU WILL GET BLACKLISTED.

Are the messages arriving from Postini or directly?
Does your Exchange server accept traffic from anyone other than Postini?

The messages are being filtered by Postini since it is really valid traffic coming from a reliable source. The Exchange server only accepts email from Postini.

This is what I have said before "We are currently using Postini and they are working on fix but meanwhile..."

The fix has been released they just got back to me.

If you don't mind please let's have the price discussion offline. What is you email address?

Thank you.

If you click on my name in any post - you will find my email address.