Link to home
Start Free TrialLog in
Avatar of Cdavis316
Cdavis316

asked on

Exchange server NDR attack, need help resolving

I am fighting an NDR attack from the domain hinet.net. Our environment is small, with one Exchange 2003 server. I adjusted the server yesterday to close an open relay, and to enable recipient filtering/tarpitting due to an NDR attack. I've also disabled NDR'ing for now. However, the queues are still filling with NDR's and spam e-mails that pre-date the configuration changes I've made? What can I do to get the server operational again, and clear the queues?
Avatar of Neil Russell
Neil Russell
Flag of United Kingdom of Great Britain and Northern Ireland image
Avatar of Miguel Angel Perez Muñoz
Miguel Angel Perez Muñoz
Flag of Spain image
Try blocking NDR´s, and deleting queues. This may help you: https://www.experts-exchange.com/questions/21108443/Spoof-Fake-Emails.html
Add a spf record to fight against email spoof: http://www.openspf.org/ this may help to abort futures attacks.
Avatar of Neil Russell
Neil Russell
Flag of United Kingdom of Great Britain and Northern Ireland image
And read the whole section found here

Clean Up the Exchange Server's SMTP Queues  http://support.microsoft.com/kb/324958#6
Avatar of Cdavis316
Cdavis316

ASKER

Already blocked NDR's, and cleared queues with aqadmcli. My real concern is the queues still fill after cleared with outdated messages. I read somewhere that this is a notoriously common problems (queues inaccurate after spam ndr attack)
Avatar of Suliman Abu Kharroub
Suliman Abu Kharroub
Flag of Jordan image
Block this domain on your firewall... then no traffic can reach your server from that doamin/ ip address
Avatar of Cdavis316
Cdavis316

ASKER

Good idea sulimanw
Avatar of Cdavis316
Cdavis316

ASKER

I actually need to block a TLD which I've read isn't possible with filtering. I'll block it at the sonicwall and see if things subside.
Avatar of Neil Russell
Neil Russell
Flag of United Kingdom of Great Britain and Northern Ireland image
IF you have closed your open relay AND dissabled NDR generation then blocking ANY domain at any level will not change things.
Avatar of Cdavis316
Cdavis316

ASKER

I'm 100% sure that we aren't running an open relay and that NDR generation is disabled. What's could be causing the queues to fill with back-dated e-mail?
Avatar of Neil Russell
Neil Russell
Flag of United Kingdom of Great Britain and Northern Ireland image
Disasble your inbound connection to the server and watch the queues?
ASKER CERTIFIED SOLUTION
Avatar of Cdavis316
Cdavis316
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Glen Knight
Glen Knight
Flag of United Kingdom of Great Britain and Northern Ireland image
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.