Solved

Exchange 2003 Reverse NDR attack - recipient filtering does not work.

Posted on 2010-08-26
27
1,768 Views
Last Modified: 2013-11-30
We have suffered a reverse NDR attack and I have turned on recipient filtering in Exchange 2003 SP2, both at the Message Delivery settings and on the Virtual SMTP server. However, the attack continues because bad mail is still being received and NDRs are still being generated and sent out. Does anyone know why this might be and what I can do to stop the generation of NDRs?
0
Comment
Question by:plokij5006
  • 9
  • 9
  • 8
  • +1
27 Comments
 
LVL 25

Expert Comment

by:Tony1044
ID: 33533733
It's been a while since I looked at ESM, but I think you can prevent NDR's being sent to the internet here:

Global Settings > Internet Message Formats > Properties of Default > Avanced tab
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33533810
Recipient filtering has to be enabled in two places.  Please check through the following article for full details of both places:
http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html
Alternatively, download a trial of Vamsoft ORF - www.vamsoft.com (anti-Spam software).  It is small, powerful, brilliant at getting rid of spam and will deal with your NDR issues immediately.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33533854
Or use mailcleaner - www.mailcleaner.org

Free, open source and will run like a charm virtualised. I've used it in many places and it's a dream to setup and maintain. And it integrates seamlessly with AD via LDAP.
0
 
LVL 4

Expert Comment

by:Nathan-B2B
ID: 33538399
Check your filtering options - http://www.amset.info/exchange/filter-unknown.asp
0
 

Author Comment

by:plokij5006
ID: 33541824
Just to reiterate what I said in my question, I have turned the recipient filtering in both the places required - in Message Delivery options and on the virtual SMTP server, all as per Microsofts instructions in the following:-

http://support.microsoft.com/kb/909005

This should mean that NDRs are not generated on the Exchange server because the emails are filtered out before they get to the IS. The NDRs in this configuration should be generated on the sending server instead, job done. Problem is, it doesn't work. If I send a mail to dfhbasjfvb@domain.com, it comes into Exchange, I can find it in Message Tracking and a NDR is generated on the Exchange server and sent back to the sender, or in this case, not the sender but the recipient of the spam, because we are suffering from a reverse NDR attack.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33541920
Sorry - it pays to read : |
What Service Pack have you got installed on the Exchange server?  SP2 is the latest.
Do you have any Anti-Spam software installed on the server.
Are you listed on Backscatterer.org (www.mxtoolbox.com/blacklists.aspx)?  If you are not - then it is highly unlikely that you are still sending NDR's to spammers.  There may be another issue afoot.
For the time being - if you don't have any anti-spam software installed, download a 30-day trial of Vamsoft ORF - www.vamsoft.com and install / configure it - it will deal with your problem without breaking sweat.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33541974
Umm...can I just clarify something here. Are these NDR's being sent to your server rather than being sent from your server?

What I mean here is - is someone spoofing your email address (the fqdn of which is correct, of course) and then you end up getting the NDR's into your mail server?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33542005
Check your Queues and see if any mail sitting there is being sent from Postmaster.  If it is - you are sending NDR's out.  If not or there are no queues full of mail, you are probably suffering from NDR spam as Tony1044 is suggesting and as I was thinking in my last post.
0
 

Author Comment

by:plokij5006
ID: 33542610
We are running Exchange 2003 SP2. We are not listed on any blacklists. I am not sure we would necessarily be because why would someone complain about spam mail when it looks to them like someone is spoofing their email address. i.e. their sender address (to them looks like it) is being spoofed to send an email to a non existing user on our server. They then get the NDR.

Yes, Exchange outgoing queue is full of NDRs generated on our Exchange server.

No we don't have any anti-spam software on the server. Regular spam is an issue but not too bad although it annoys the users.

One thing I have noticed is that there is not as many as I have seen with Reverse NDR attacks on other servers, hundreds per day outgoing instead of the thousands you would expect. Also, a lot of the NDRs are going out to non-existent users themselves i.e. NDR to hgssshgd@someotherdomain.com. (Is there such a thing as a Reverse reverse NDR?)

Regardless of all this the issue remains the same, Exchange recipient filtering is not working. You send an email to dgjhfgryufgu@domain.com and you get a NDR generated on our server. You also get a delivery receipt before this happens saying mail successfully relayed because it is getting through the filter.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33542722
If you are sending out NDR's to spammers, you would quickly pop up on the Backscatterer.org Blacklists site, so this suggests you are not sending NDR's.
Who is the sender of the NDR messages in your queues?  Postmaster?
I appreciate that you may be not filtering recipients properly.  When you enabled the Recipient Filtering, did you restart the Simple Mail Transfer Protocol Service (or the server)?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33542777
Alan beat me to it: I was just about to ask if you had restarted the default SMTP server, too :)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33542859
: )
0
 

Author Comment

by:plokij5006
ID: 33543555
I have restarted the SMTP service as well as the Virtual SMTP server several times. The server has not been rebooted as we need it up. This would be possible but I need to schedule it in.

All NDRs going out are from Postmaster@.
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33543581
Well the SMTP service should nail it.
Can you re-apply Exchange SP2 please if a server reboot makes no difference.
Thanks
Alan
0
 

Author Comment

by:plokij5006
ID: 33557114
I will need to get a window of time that it is good to do this. I will speak to the cusotmer and let you know when this is done. Thanks.
0
 

Accepted Solution

by:
plokij5006 earned 0 total points
ID: 33673193
Sorry for the delay in responding. We tried a reboot of the server but this did not solve the problem. We cleared out all the NDR spam by renaming the Queue folder and creating a new one. The last remaining messages were binned at this point. We then manually turned off the Send NDRs option and this solved the problem. I do not see any mention of having to do this from Microsoft, I understood that the turning on of recipient filtering would do the same thing but it does not.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33673436
It sounds like your recipient filtering is not working at all!  Not seen that before.
Have you considered using Anti-Spam software?  Vamsoft is well priced at $239 per server, easy to use, simple to configure and will deal with all the spam you can throw at it.
90% of mail hitting my server gets rejected by Vamsoft.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33673572
Or mailcleaner which I also mentioned in an earlier post, and is free.

To give you some idea of how good this is, I installed it for a company that would receive an average of 7,000 emails every 24 hours.

Of these, around 3,500 would be Spam and between 10 and 20 would be malware of some kind.

Once I implemented Mailcleaner, their spam occurances have dropped to around half a dozen a week.

It doesn't need to be installed on Exchange but on a standalone machine - as mentioned before, being Linux based it'll run a treat virtualised.

It integrates nicely with LDAP.

At midnight, each user will get a report of spam and they can manually free up anything that shouldn't have been caught from within the message.

They can also add their own white/grey lists.

Oh and did I mention it's free? :)
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33673580
To clarify - I mean that the spam getting through is about half a dozen emails a week.

Oh and it has AntiVirus built into it too.
0
 

Author Comment

by:plokij5006
ID: 33673736
Thanks for the advice but we generally use an off-site spam filter server running Spam Assassin.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33674091
I don't suppoe you used to have Microsoft Hosted Messaging and Collaboration installed on your server did you?

http://support.microsoft.com/kb/921101
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33674109
Dammit he beat me to it again :/ lol
0
 

Author Comment

by:plokij5006
ID: 33791858
No, we have not had that installed previously. Looks like we may never get to the bottom of it?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33792646
If you use an off-site filtering service, have you restricted smtp access to just your external filtering companies IP addresses on your SMTP Virtual Server?

If you are still allowing the world and his dog into your server via smtp, you will have problems.

Talk to your filtering company, find out their sending IP addresses andnthen lock down your SMTP virtual server to just those IP's.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33796514
I'd just ask your third party to block inbound NDR's if they can.

Yes your staff will not receive genuine ones but that sounds less of an issue than being spammed with them.
0
 

Author Comment

by:plokij5006
ID: 33914684
I did not get to the bottom of this, thanks for all your help but I can't accept any postings as a solution.
0
 

Author Closing Comment

by:plokij5006
ID: 34399092
Closest thing to an answer was suggested by myself.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now