Exchange server NDR attack, need help resolving

I am fighting an NDR attack from the domain hinet.net. Our environment is small, with one Exchange 2003 server. I adjusted the server yesterday to close an open relay, and to enable recipient filtering/tarpitting due to an NDR attack. I've also disabled NDR'ing for now. However, the queues are still filling with NDR's and spam e-mails that pre-date the configuration changes I've made? What can I do to get the server operational again, and clear the queues?
Cdavis316Asked:
Who is Participating?
 
Cdavis316Author Commented:
I ended up doing an MS support call. The queue issue required us to manually empty the queue from the program files\exchsrvr\ follder, and to add an RBL. That cleared everything up
0
 
Neil RussellTechnical Development LeadCommented:
0
 
Miguel Angel Perez MuñozCommented:
Try blocking NDR´s, and deleting queues. This may help you: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_21108443.html
Add a spf record to fight against email spoof: http://www.openspf.org/ this may help to abort futures attacks.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Neil RussellTechnical Development LeadCommented:
And read the whole section found here

Clean Up the Exchange Server's SMTP Queues  http://support.microsoft.com/kb/324958#6
0
 
Cdavis316Author Commented:
Already blocked NDR's, and cleared queues with aqadmcli. My real concern is the queues still fill after cleared with outdated messages. I read somewhere that this is a notoriously common problems (queues inaccurate after spam ndr attack)
0
 
Suliman Abu KharroubIT Consultant Commented:
Block this domain on your firewall... then no traffic can reach your server from that doamin/ ip address
0
 
Cdavis316Author Commented:
Good idea sulimanw
0
 
Cdavis316Author Commented:
I actually need to block a TLD which I've read isn't possible with filtering. I'll block it at the sonicwall and see if things subside.
0
 
Neil RussellTechnical Development LeadCommented:
IF you have closed your open relay AND dissabled NDR generation then blocking ANY domain at any level will not change things.
0
 
Cdavis316Author Commented:
I'm 100% sure that we aren't running an open relay and that NDR generation is disabled. What's could be causing the queues to fill with back-dated e-mail?
0
 
Neil RussellTechnical Development LeadCommented:
Disasble your inbound connection to the server and watch the queues?
0
 
Glen KnightCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.