Exchange 2003 Reverse NDR attack - recipient filtering does not work.

It's been a while since I looked at ESM, but I think you can prevent NDR's being sent to the internet here:

Global Settings > Internet Message Formats > Properties of Default > Avanced tab

Recipient filtering has to be enabled in two places.  Please check through the following article for full details of both places:
http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html
Alternatively, download a trial of Vamsoft ORF - www.vamsoft.com (anti-Spam software).  It is small, powerful, brilliant at getting rid of spam and will deal with your NDR issues immediately.

Or use mailcleaner - www.mailcleaner.org 

Free, open source and will run like a charm virtualised. I've used it in many places and it's a dream to setup and maintain. And it integrates seamlessly with AD via LDAP.

Check your filtering options - http://www.amset.info/exchange/filter-unknown.asp

Just to reiterate what I said in my question, I have turned the recipient filtering in both the places required - in Message Delivery options and on the virtual SMTP server, all as per Microsofts instructions in the following:-

http://support.microsoft.com/kb/909005 

This should mean that NDRs are not generated on the Exchange server because the emails are filtered out before they get to the IS. The NDRs in this configuration should be generated on the sending server instead, job done. Problem is, it doesn't work. If I send a mail to dfhbasjfvb@domain.com, it comes into Exchange, I can find it in Message Tracking and a NDR is generated on the Exchange server and sent back to the sender, or in this case, not the sender but the recipient of the spam, because we are suffering from a reverse NDR attack.

Sorry - it pays to read : |
What Service Pack have you got installed on the Exchange server?  SP2 is the latest.
Do you have any Anti-Spam software installed on the server.
Are you listed on Backscatterer.org (www.mxtoolbox.com/blacklists.aspx)?  If you are not - then it is highly unlikely that you are still sending NDR's to spammers.  There may be another issue afoot.
For the time being - if you don't have any anti-spam software installed, download a 30-day trial of Vamsoft ORF - www.vamsoft.com and install / configure it - it will deal with your problem without breaking sweat.

Umm...can I just clarify something here. Are these NDR's being sent to your server rather than being sent from your server?

What I mean here is - is someone spoofing your email address (the fqdn of which is correct, of course) and then you end up getting the NDR's into your mail server?

Check your Queues and see if any mail sitting there is being sent from Postmaster.  If it is - you are sending NDR's out.  If not or there are no queues full of mail, you are probably suffering from NDR spam as Tony1044 is suggesting and as I was thinking in my last post.

We are running Exchange 2003 SP2. We are not listed on any blacklists. I am not sure we would necessarily be because why would someone complain about spam mail when it looks to them like someone is spoofing their email address. i.e. their sender address (to them looks like it) is being spoofed to send an email to a non existing user on our server. They then get the NDR.

Yes, Exchange outgoing queue is full of NDRs generated on our Exchange server.

No we don't have any anti-spam software on the server. Regular spam is an issue but not too bad although it annoys the users.

One thing I have noticed is that there is not as many as I have seen with Reverse NDR attacks on other servers, hundreds per day outgoing instead of the thousands you would expect. Also, a lot of the NDRs are going out to non-existent users themselves i.e. NDR to hgssshgd@someotherdomain.com. (Is there such a thing as a Reverse reverse NDR?)

Regardless of all this the issue remains the same, Exchange recipient filtering is not working. You send an email to dgjhfgryufgu@domain.com and you get a NDR generated on our server. You also get a delivery receipt before this happens saying mail successfully relayed because it is getting through the filter.

If you are sending out NDR's to spammers, you would quickly pop up on the Backscatterer.org Blacklists site, so this suggests you are not sending NDR's.
Who is the sender of the NDR messages in your queues?  Postmaster?
I appreciate that you may be not filtering recipients properly.  When you enabled the Recipient Filtering, did you restart the Simple Mail Transfer Protocol Service (or the server)?

Alan beat me to it: I was just about to ask if you had restarted the default SMTP server, too :)

: )

I have restarted the SMTP service as well as the Virtual SMTP server several times. The server has not been rebooted as we need it up. This would be possible but I need to schedule it in.

All NDRs going out are from Postmaster@.

Well the SMTP service should nail it.
Can you re-apply Exchange SP2 please if a server reboot makes no difference.
Thanks
Alan

I will need to get a window of time that it is good to do this. I will speak to the cusotmer and let you know when this is done. Thanks.

It sounds like your recipient filtering is not working at all!  Not seen that before.
Have you considered using Anti-Spam software?  Vamsoft is well priced at $239 per server, easy to use, simple to configure and will deal with all the spam you can throw at it.
90% of mail hitting my server gets rejected by Vamsoft.

Or mailcleaner which I also mentioned in an earlier post, and is free.

To give you some idea of how good this is, I installed it for a company that would receive an average of 7,000 emails every 24 hours.

Of these, around 3,500 would be Spam and between 10 and 20 would be malware of some kind.

Once I implemented Mailcleaner, their spam occurances have dropped to around half a dozen a week.

It doesn't need to be installed on Exchange but on a standalone machine - as mentioned before, being Linux based it'll run a treat virtualised.

It integrates nicely with LDAP.

At midnight, each user will get a report of spam and they can manually free up anything that shouldn't have been caught from within the message.

They can also add their own white/grey lists.

Oh and did I mention it's free? :)

To clarify - I mean that the spam getting through is about half a dozen emails a week.

Oh and it has AntiVirus built into it too.

Thanks for the advice but we generally use an off-site spam filter server running Spam Assassin.

I don't suppoe you used to have Microsoft Hosted Messaging and Collaboration installed on your server did you?

http://support.microsoft.com/kb/921101

Dammit he beat me to it again :/ lol

No, we have not had that installed previously. Looks like we may never get to the bottom of it?

If you use an off-site filtering service, have you restricted smtp access to just your external filtering companies IP addresses on your SMTP Virtual Server?

If you are still allowing the world and his dog into your server via smtp, you will have problems.

Talk to your filtering company, find out their sending IP addresses andnthen lock down your SMTP virtual server to just those IP's.

I'd just ask your third party to block inbound NDR's if they can.

Yes your staff will not receive genuine ones but that sounds less of an issue than being spammed with them.

I did not get to the bottom of this, thanks for all your help but I can't accept any postings as a solution.

Closest thing to an answer was suggested by myself.