We help IT Professionals succeed at work.

Exchange 2003 NDR email question

llarava
llarava used Ask the Experts™
on
Hi,

SCENARIO: Exchange 2003 Ent servers  - Outlook 2003 clients

PROBLEM:

We are being bombarded with incoming NDRs from external domains due to spam.

The NDR email has the following format:

subject:
Delivery Status Notification (Failure)

Body:

Note: Forwarded message is attached.

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

      satellites4201@rivercoursegolf.com

Final-Recipient: rfc698;satellites4201@rivercoursegolf.com
Action: failed
Status: 6.7.2

QUESTIONS:

1.) I was wondering If for the time being I can block the inbound emails that contain the following subjet line:

Delivery Status Notification (Failure)

Or is that a pretty common NDR subjet.

I have tried to email to non-existent users/domains and I got the following message at the subject:

Undeliverable: test

2.) If we get an NDR wouldn't be getting NDRs from our internal SMTP server? Or are the external servers the ones that will send the NDR?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Alan HardistyCo-Owner
Top Expert 2011

Commented:
It is NDR spam, pure and simple.
Try a 30-day trial of Vamsoft ORF - www.vamsoft.com - it should eliminate the problem very quickly for you and if you decide to keep it after the 30 days, it will only cost you $239.
Brilliant software, small footprint (4Mb) and darn good at killing spam.

Author

Commented:
We are currently using Postini and they are working on fix but meanwhile I just wanted to stop this. For the time being can we just block inbound email based on the following subject line "Delivery Status Notification (Failure)" which seems to be identified as something this type of NDR spam type uses.

I am afraid that this subject line could be a standard message however I haven't been able to find any documents that refer to it as something standard that the system will use to reply back in case of an NDR.

 

Commented:
HI, first of all you should check that you are not sending SPAM anymore, since if you received NDRs from other servers it means that you were sending SPAM.

NDRs from external servers can be deleted using Outlook rules (try with the sender addresses or terms in the subject, as Undeliverable.

NDRs from your exchange can be disabled (that´s what I did in mine), because you have two NDRs options that can be annoying, one when exchange tries to send emails to fake domains, and the other one can occur  when you receive fake addresses with your domain, for example pepe@yourdomain.com

Author

Commented:
Here is what is going on in our side:

-mail virus "X" is on Joe's computer. It harvests all of the e-mail addresses it can find (including your's *CBecker*). It picks one at random and "spoofs" that one as the sender  address, thus ensuring Joe doesn't get suspicious seeing the spate of failure messages (because everybody sometimes have a bunch of "dead" addresses in the address book). You lucked out being picked as the spoofed address. You don't have a virus. Joe's computer has a virus. Nothing I can do on my end we haven't received any suspcious alerts from our AV and we do virus/spam on computers.

We are getting NDRs from external mail servers like:

postmaster@rouse.com
postmaster@rivercoursegolf.com
postmaster@rivercoursegolf.com

How do you disable the NDRs on Exchange 2003? Also if you disable the NDRs how are your users going to know that they have to send the message again or that the message is not delivered? That will kill business at least in my company.

We are blocking at the Edge level with Postini by subject line but do you happen to know if the subject line "Delivery Status Notification (Failure)" is a standard NDR message? I think it has been made up by this type of spam so we may have a chance to filter the inbound mail that has this as part of the subject line while we get a final fix from Postini.

Thank you.

 

Author

Commented:
I have been only able to find how to disable just a type of NDR:

From Exchange System Manager, Global Settings, Internet Message Format.
Double click on your right. Advanced tab. Uncheck Allow
non-delivery reports.

You mentioned there are two. Can we disable just the NDR that come from external servers?

Alan HardistyCo-Owner
Top Expert 2011

Commented:
You should not be blocking NDR messages as that can get you into trouble by you getting blacklisted.
You are receiving the NDR messages because someone is spoofing your email addresses claiming to come from your domain and when they get rejected, you get the NDR messages.
Have you got SPF setup on your domain?
http://www.mxtoolbox.com/spf.aspx
If not, set up a record and then any servers checking against your domain for received mail will know the message is spam and reject it as such, which should cut down on your NDR's.
Visit http://old.openspf.org/wizard.html to setup an SPF record.

Commented:
Sorry, but you can delete the incomming NDRs and you wont have any blacklisted problem. If you set up your exchange to no send NDRs, you will fix the two situations I mentioned, the one when you send emails to fake domains, and the other when SPAM senrvers sends mails to your domain with fake addresses (your server will send lots of NDRs, and then will have a SPAM behaviour, and you could be included in blacklist servers)

Author

Commented:
The SPF and RBL etc is done via Postini they also have a system to rate spam etc. There is no way to prevent this since SMTP can spoofed easily specially in a case like the one we are having right now.

Someone is sending emails spoofing and then we get NDRs from external domains with an attachment that contains an infection.

Author

Commented:
I can't delete NDRs since the sales people will not know if their emails have been received, etc.

I am just trying to determine if I can filter incoming NDRs by the message "Delivery Status Notification (Failure)"

Alan HardistyCo-Owner
Top Expert 2011

Commented:
@biaxis - Please read Sembee's comment in the following EE question.  Sembee (AKA Mestha) is an Exchange MVP and knows what he is talking about when it comes to Exchange.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_22089273.html
DO NOT BLOCK NDR MESSAGES - YOU WILL GET BLACKLISTED.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Are the messages arriving from Postini or directly?
Does your Exchange server accept traffic from anyone other than Postini?

Author

Commented:
The messages are being filtered by Postini since it is really valid traffic coming from a reliable source. The Exchange server only accepts email from Postini.
Co-Owner
Top Expert 2011
Commented:
Okay - so Postini is passing on NDR spam to you!
Time to ditch Postini and look at an alternative if you ask me.
How much is Postini costing you a year to use if you don't mind me asking?

Author

Commented:
This is what I have said before "We are currently using Postini and they are working on fix but meanwhile..."

The fix has been released they just got back to me.

If you don't mind please let's have the price discussion offline. What is you email address?

Thank you.

Alan HardistyCo-Owner
Top Expert 2011

Commented:
If you click on my name in any post - you will find my email address.