NDR Spam attack

My client suddenly has 1 user receiving loads of these NDR's thtough:

----- Original Message -----
From: Mail Delivery System <Mailer-Daemon@dedic0.cmspanel.ru>
To: User
Sent: Thu Nov 18 06:16:08 2010
Subject: Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

  info@yug-poliv.ru
    mailbox is full: retry timeout exceeded

Needless to say he didnt send the original message.

My client has good email hygeine - Reverse DNS is set up, SPF, not an open relay, Anti-Spam appliance, etc.

There are 0 queues in Exchange 2007 EMC.

How do I stop this? The majority are from .ru domains!
LVL 1
hongeditAsked:
Who is Participating?
 
Ernie BeekConnect With a Mentor ExpertCommented:
It is...... One of the side effects of our modern communication technology.
0
 
Ernie BeekExpertCommented:
The problem could be in the fact that his email address is being spoofed by some spamming club/program. Though he did not send the origional message, the receiving mailservers simply return the NDR to the sender addres, the user's one.
There's not much you can do to prevent this from happening, even with the best email hygiene. If there's only one person (who has the users email address) out there is getting hit by a virus or similar they could start using the user's (and all other found addresses) as fake sender addresses.
0
 
hongeditAuthor Commented:
So there's nothing I can do? He's now getting hundreds through every hour, its insane!
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
Ernie BeekExpertCommented:
You could block NDR's at the server.
0
 
hongeditAuthor Commented:
But they need to be able to receive real NDR's :(

Crap.
0
 
hongeditAuthor Commented:
Thanks....I'll have to find another workaround!
0
All Courses

From novice to tech pro — start learning today.