Cdavis316
asked on
Exchange server NDR attack, need help resolving
I am fighting an NDR attack from the domain hinet.net. Our environment is small, with one Exchange 2003 server. I adjusted the server yesterday to close an open relay, and to enable recipient filtering/tarpitting due to an NDR attack. I've also disabled NDR'ing for now. However, the queues are still filling with NDR's and spam e-mails that pre-date the configuration changes I've made? What can I do to get the server operational again, and clear the queues?
Try blocking NDR´s, and deleting queues. This may help you: https://www.experts-exchange.com/questions/21108443/Spoof-Fake-Emails.html
Add a spf record to fight against email spoof: http://www.openspf.org/ this may help to abort futures attacks.
Add a spf record to fight against email spoof: http://www.openspf.org/ this may help to abort futures attacks.
And read the whole section found here
Clean Up the Exchange Server's SMTP Queues http://support.microsoft.com/kb/324958#6
Clean Up the Exchange Server's SMTP Queues http://support.microsoft.com/kb/324958#6
ASKER
Already blocked NDR's, and cleared queues with aqadmcli. My real concern is the queues still fill after cleared with outdated messages. I read somewhere that this is a notoriously common problems (queues inaccurate after spam ndr attack)
Block this domain on your firewall... then no traffic can reach your server from that doamin/ ip address
ASKER
Good idea sulimanw
ASKER
I actually need to block a TLD which I've read isn't possible with filtering. I'll block it at the sonicwall and see if things subside.
IF you have closed your open relay AND dissabled NDR generation then blocking ANY domain at any level will not change things.
ASKER
I'm 100% sure that we aren't running an open relay and that NDR generation is disabled. What's could be causing the queues to fill with back-dated e-mail?
Disasble your inbound connection to the server and watch the queues?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
http://support.microsoft.com/servicedesks/ShowMeHow/101904_3.asx