How do I create an e-mail policy that will deny the sender from numerous retries resulting in maxed out bandwidth?
We are running Exchange 2007, McAfee Hosted SPAM filter service, SonicWall. What we are experiencing closely resembles a DOS attack. I really need help figuring out how to prevent it from occurring again. A client sends an e-mail to us that gets caught in a loop of retrying (every two minutes) and somehow utilizes our entire bandwidth, bringing Internet usage to a screeching halt. I might add that this is gradual. It begins to slow down the Internet and eventually it is almost impossible to access a site. Viewing the bandwidth usage reports I can see the gradual climb until it maxes out and stays there. This happened a few months ago and again yesterday. These are two different clients totally unrelated sending to two different recipients at our domain. In both situations the client had previously sent e-mail to us successfully. We have size restrictions in place and it appears that in both cases the e-mails had attachments well below the limit. We have a hosted SPAM filter service (McAfee) and I used their control panel to see that one recipient was receiving over 440MB of incoming data. I called McAfee and they were able to tell me the e-mail address sending to this recipient and that the server was retrying to send every two minutes. The only way I know to stop it is to add the e-mail address to the deny sender list. It's obviously not good that we have to block a client, especially when they need to send us information. I need to know what is causing this to happen and how to prevent it in the future. I need a policy that will refuse more than five retries or something similar. Thank you in advance for your help!
ASKER
steveoskh,
Thank you for your reply! That's a possibility I had not considered. We do not forward e-mail here but I double-checked in case. I also verified that he was in the office and had no vacation rule set. I agree that Exchange should prevent these loops. I should also be able to block that activity before it reaches Exchange via the McAfee hosted SPAM filtering service. It doesn't seem to affect the performance of the Exchange server. It definitely hogs all the bandwidth though.
Thank you for your reply! That's a possibility I had not considered. We do not forward e-mail here but I double-checked in case. I also verified that he was in the office and had no vacation rule set. I agree that Exchange should prevent these loops. I should also be able to block that activity before it reaches Exchange via the McAfee hosted SPAM filtering service. It doesn't seem to affect the performance of the Exchange server. It definitely hogs all the bandwidth though.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, steveoskh, that is the correct order for the mail. McAfee was set to "Any Size" for attachments except executables and scripts which are disallowed. I changed them all to Max 15MB. Thank you, I looked right over those settings. The e-mails that were sent to us were to have small attachments but I cannot confirm as I have not seen them. I do know for sure that the culprit was an e-mail both times. I watch traffic and bandwidth usage on the SonicWall. I have used the hub and Wireshark before which is a good idea also. Hopefully the size settings for Hosted McAfee will be the solution but I won't know for sure as it's happened only twice in a 5 month span. I will accept your solution and add comments down the road if it wasn't the fix. Thank you for your help.
Classic case is Bob goes on vacation and sets auto reply to sender but also forwards mail to Jim. Jim is sick and sets an auto reply to sender. Mail to Bob -->Fwd Jim, Jim reply to Bob, Bob reply to Jim and Fwd to Jim, Jim auto reply two different msg to Bob. These two are reply and fwd to Jim. 1 becomes 2 becomes 4 becomes 8 etc.
I would think that Exchange would prevent these types of loops. Most mail systems will recognize and prevent this. If your spam filter or firewall is responding or modifying the message it may loose the connection needed for Exchange to recognize the loop.
I would first look at the recipients involved and check for any forwarding or auto-reply rules.