How do I create an e-mail policy that will deny the sender from numerous retries resulting in maxed out bandwidth?

We are running Exchange 2007, McAfee Hosted SPAM filter service, SonicWall. What we are experiencing closely resembles a DOS attack.  I really need help figuring out how to prevent it from occurring again. A client sends an e-mail to us that gets caught in a loop of retrying (every two minutes) and somehow utilizes our entire bandwidth, bringing Internet usage to a screeching halt. I might add that this is gradual. It begins to slow down the Internet and eventually it is almost impossible to access a site. Viewing the bandwidth usage reports I can see the gradual climb until it maxes out and stays there.  This happened a few months ago and again yesterday. These are two different clients totally unrelated sending to two different recipients at our domain. In both situations the client had previously sent e-mail to us successfully. We have size restrictions in place and it appears that in both cases the e-mails had attachments well below the limit. We have a hosted SPAM filter service (McAfee) and I used their control panel to see that one recipient was receiving over 440MB of incoming data. I called McAfee and they were able to tell me the e-mail address sending to this recipient and that the server was retrying to send every two minutes. The only way I know to stop it is to add the e-mail address to the deny sender list. It's obviously not good that we have to block a client, especially when they need to send us information. I need to know what is causing this to happen and how to prevent it in the future. I need a policy that will refuse more than five retries or something similar.  Thank you in advance for your help!
iwrbotbAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

steveoskhCommented:
It sounds like you have some type of reply loop.  A users vacation rule or some other auto response sends and email that is then responded to.  This process keeps repeating and building until you have thousands of mail being sent.
Classic case is Bob goes on vacation and sets auto reply to sender but also forwards mail to Jim.  Jim is sick and sets an auto reply to sender.  Mail to Bob -->Fwd Jim,  Jim reply to Bob,  Bob reply to Jim and Fwd to Jim,  Jim auto reply two different msg to Bob.  These two are reply and fwd to Jim.  1 becomes 2 becomes 4 becomes 8 etc.

I would think that Exchange would prevent these types of loops.  Most mail systems will recognize and prevent this.  If your spam filter or firewall is responding or modifying the message it may loose the connection needed for Exchange to recognize the loop.

I would first look at the recipients involved and check for any forwarding or auto-reply rules.
0
iwrbotbAuthor Commented:
steveoskh,

Thank you for your reply!  That's a possibility I had not considered. We do not forward e-mail here but I double-checked in case. I also verified that he was in the office and had no vacation rule set.  I agree that Exchange should prevent these loops. I should also be able to block that activity before it reaches Exchange via the McAfee hosted SPAM filtering service.  It doesn't seem to affect the performance of the Exchange server. It definitely hogs all the bandwidth though.  
0
steveoskhCommented:
So if I understand your situation:
internet ----> McAfee Hosted ----> Exchange

You have size limits enforced on your Exchange server.  Do you also have size limits enforced by McAfee?   You really should block over-sized mail from ever being sent to your Exchange box.
I am not that familiar with Exchange and have no experience with McAfee hosted, but you should be able to implement settings to prevent mail bombs.  Typically it is some threshold to prevent more than so many emails from one sender over a given time period.

Other general things to consider:
Your firewall should be set to only get mail from McAfee and not respond directly.
Mail from the internet is not encrypted so you should be able to see any connections with a sniffer.   There are some specialized ones that will capture email traffic.  I have used colasoft CAPSA for this in the past.  Just plug a small hub (not a switch) or network tap before your sonicwall.

Also consider that mail may have only been part of your problem on those two days.  When we have had problems with slow internet the cause is usually a combination of things.  Microsoft patch Tuesday, large uploads, streaming audio or video etc.   I have found the sniffer in front of my firewall very helpful.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
iwrbotbAuthor Commented:
Yes, steveoskh, that is the correct order for the mail. McAfee was set to "Any Size" for attachments except executables and scripts which are disallowed. I changed them all to Max 15MB. Thank you, I looked right over those settings. The e-mails that were sent to us were to have small attachments but I cannot confirm as I have not seen them. I do know for sure that the culprit was an e-mail both times. I watch traffic and bandwidth usage on the SonicWall. I have used the hub and Wireshark before which is a good idea also. Hopefully the size settings for Hosted McAfee will be the solution but I won't know for sure as it's happened only twice in a 5 month span. I will accept your solution and add comments down the road if it wasn't the fix. Thank you for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.