?
Solved

Exchange 2003 Reverse NDR attack - recipient filtering does not work.

Posted on 2010-08-26
27
Medium Priority
?
1,870 Views
Last Modified: 2013-11-30
We have suffered a reverse NDR attack and I have turned on recipient filtering in Exchange 2003 SP2, both at the Message Delivery settings and on the Virtual SMTP server. However, the attack continues because bad mail is still being received and NDRs are still being generated and sent out. Does anyone know why this might be and what I can do to stop the generation of NDRs?
0
Comment
Question by:plokij5006
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 9
  • 8
  • +1
27 Comments
 
LVL 26

Expert Comment

by:Tony J
ID: 33533733
It's been a while since I looked at ESM, but I think you can prevent NDR's being sent to the internet here:

Global Settings > Internet Message Formats > Properties of Default > Avanced tab
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33533810
Recipient filtering has to be enabled in two places.  Please check through the following article for full details of both places:
http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html
Alternatively, download a trial of Vamsoft ORF - www.vamsoft.com (anti-Spam software).  It is small, powerful, brilliant at getting rid of spam and will deal with your NDR issues immediately.
0
 
LVL 26

Expert Comment

by:Tony J
ID: 33533854
Or use mailcleaner - www.mailcleaner.org 

Free, open source and will run like a charm virtualised. I've used it in many places and it's a dream to setup and maintain. And it integrates seamlessly with AD via LDAP.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 4

Expert Comment

by:Nathan-B2B
ID: 33538399
Check your filtering options - http://www.amset.info/exchange/filter-unknown.asp
0
 

Author Comment

by:plokij5006
ID: 33541824
Just to reiterate what I said in my question, I have turned the recipient filtering in both the places required - in Message Delivery options and on the virtual SMTP server, all as per Microsofts instructions in the following:-

http://support.microsoft.com/kb/909005 

This should mean that NDRs are not generated on the Exchange server because the emails are filtered out before they get to the IS. The NDRs in this configuration should be generated on the sending server instead, job done. Problem is, it doesn't work. If I send a mail to dfhbasjfvb@domain.com, it comes into Exchange, I can find it in Message Tracking and a NDR is generated on the Exchange server and sent back to the sender, or in this case, not the sender but the recipient of the spam, because we are suffering from a reverse NDR attack.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33541920
Sorry - it pays to read : |
What Service Pack have you got installed on the Exchange server?  SP2 is the latest.
Do you have any Anti-Spam software installed on the server.
Are you listed on Backscatterer.org (www.mxtoolbox.com/blacklists.aspx)?  If you are not - then it is highly unlikely that you are still sending NDR's to spammers.  There may be another issue afoot.
For the time being - if you don't have any anti-spam software installed, download a 30-day trial of Vamsoft ORF - www.vamsoft.com and install / configure it - it will deal with your problem without breaking sweat.
0
 
LVL 26

Expert Comment

by:Tony J
ID: 33541974
Umm...can I just clarify something here. Are these NDR's being sent to your server rather than being sent from your server?

What I mean here is - is someone spoofing your email address (the fqdn of which is correct, of course) and then you end up getting the NDR's into your mail server?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33542005
Check your Queues and see if any mail sitting there is being sent from Postmaster.  If it is - you are sending NDR's out.  If not or there are no queues full of mail, you are probably suffering from NDR spam as Tony1044 is suggesting and as I was thinking in my last post.
0
 

Author Comment

by:plokij5006
ID: 33542610
We are running Exchange 2003 SP2. We are not listed on any blacklists. I am not sure we would necessarily be because why would someone complain about spam mail when it looks to them like someone is spoofing their email address. i.e. their sender address (to them looks like it) is being spoofed to send an email to a non existing user on our server. They then get the NDR.

Yes, Exchange outgoing queue is full of NDRs generated on our Exchange server.

No we don't have any anti-spam software on the server. Regular spam is an issue but not too bad although it annoys the users.

One thing I have noticed is that there is not as many as I have seen with Reverse NDR attacks on other servers, hundreds per day outgoing instead of the thousands you would expect. Also, a lot of the NDRs are going out to non-existent users themselves i.e. NDR to hgssshgd@someotherdomain.com. (Is there such a thing as a Reverse reverse NDR?)

Regardless of all this the issue remains the same, Exchange recipient filtering is not working. You send an email to dgjhfgryufgu@domain.com and you get a NDR generated on our server. You also get a delivery receipt before this happens saying mail successfully relayed because it is getting through the filter.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33542722
If you are sending out NDR's to spammers, you would quickly pop up on the Backscatterer.org Blacklists site, so this suggests you are not sending NDR's.
Who is the sender of the NDR messages in your queues?  Postmaster?
I appreciate that you may be not filtering recipients properly.  When you enabled the Recipient Filtering, did you restart the Simple Mail Transfer Protocol Service (or the server)?
0
 
LVL 26

Expert Comment

by:Tony J
ID: 33542777
Alan beat me to it: I was just about to ask if you had restarted the default SMTP server, too :)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33542859
: )
0
 

Author Comment

by:plokij5006
ID: 33543555
I have restarted the SMTP service as well as the Virtual SMTP server several times. The server has not been rebooted as we need it up. This would be possible but I need to schedule it in.

All NDRs going out are from Postmaster@.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33543581
Well the SMTP service should nail it.
Can you re-apply Exchange SP2 please if a server reboot makes no difference.
Thanks
Alan
0
 

Author Comment

by:plokij5006
ID: 33557114
I will need to get a window of time that it is good to do this. I will speak to the cusotmer and let you know when this is done. Thanks.
0
 

Accepted Solution

by:
plokij5006 earned 0 total points
ID: 33673193
Sorry for the delay in responding. We tried a reboot of the server but this did not solve the problem. We cleared out all the NDR spam by renaming the Queue folder and creating a new one. The last remaining messages were binned at this point. We then manually turned off the Send NDRs option and this solved the problem. I do not see any mention of having to do this from Microsoft, I understood that the turning on of recipient filtering would do the same thing but it does not.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33673436
It sounds like your recipient filtering is not working at all!  Not seen that before.
Have you considered using Anti-Spam software?  Vamsoft is well priced at $239 per server, easy to use, simple to configure and will deal with all the spam you can throw at it.
90% of mail hitting my server gets rejected by Vamsoft.
0
 
LVL 26

Expert Comment

by:Tony J
ID: 33673572
Or mailcleaner which I also mentioned in an earlier post, and is free.

To give you some idea of how good this is, I installed it for a company that would receive an average of 7,000 emails every 24 hours.

Of these, around 3,500 would be Spam and between 10 and 20 would be malware of some kind.

Once I implemented Mailcleaner, their spam occurances have dropped to around half a dozen a week.

It doesn't need to be installed on Exchange but on a standalone machine - as mentioned before, being Linux based it'll run a treat virtualised.

It integrates nicely with LDAP.

At midnight, each user will get a report of spam and they can manually free up anything that shouldn't have been caught from within the message.

They can also add their own white/grey lists.

Oh and did I mention it's free? :)
0
 
LVL 26

Expert Comment

by:Tony J
ID: 33673580
To clarify - I mean that the spam getting through is about half a dozen emails a week.

Oh and it has AntiVirus built into it too.
0
 

Author Comment

by:plokij5006
ID: 33673736
Thanks for the advice but we generally use an off-site spam filter server running Spam Assassin.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33674091
I don't suppoe you used to have Microsoft Hosted Messaging and Collaboration installed on your server did you?

http://support.microsoft.com/kb/921101
0
 
LVL 26

Expert Comment

by:Tony J
ID: 33674109
Dammit he beat me to it again :/ lol
0
 

Author Comment

by:plokij5006
ID: 33791858
No, we have not had that installed previously. Looks like we may never get to the bottom of it?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33792646
If you use an off-site filtering service, have you restricted smtp access to just your external filtering companies IP addresses on your SMTP Virtual Server?

If you are still allowing the world and his dog into your server via smtp, you will have problems.

Talk to your filtering company, find out their sending IP addresses andnthen lock down your SMTP virtual server to just those IP's.
0
 
LVL 26

Expert Comment

by:Tony J
ID: 33796514
I'd just ask your third party to block inbound NDR's if they can.

Yes your staff will not receive genuine ones but that sounds less of an issue than being spammed with them.
0
 

Author Comment

by:plokij5006
ID: 33914684
I did not get to the bottom of this, thanks for all your help but I can't accept any postings as a solution.
0
 

Author Closing Comment

by:plokij5006
ID: 34399092
Closest thing to an answer was suggested by myself.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you’re making plans to join the modern business race, you should analyze various details that may affect your results. Nowadays, millions of businesses are trying to grow into established and appreciated professional enterprises.
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question