Solved

Exchange 2007 NDR (backscatter) spam

Posted on 2012-04-10
6
830 Views
Last Modified: 2012-04-10
I am having problems fighting NDR (backscatter) spam on Exchange 2007 server.
I have been using Exchange Antispam modules for few years now. But last week client started to receive hundreds of NDR (apparently created by my Exchange 2007 server). It is unlikely that is he sending spam.

1. I have tested my SPF records. It all looks OK.
2. I ve tested that it is not a open relay.
3. I have disabled "Allow non delivery reports" on Hub Transport default remote domain.
4. Tried to restart services on Hub transport role server.

NDR spam still arrives as like nothing has changed. Is there anything else i can do?
0
Comment
Question by:ivugrinec
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 37827275
Do you receive email directly to your server or are you using a 3rd party smarthost to receive your mail and pass it on to you?

If the latter, then you have to enable Recipient Filtering on your Smarthost otherwise the problem won't go away.

If the former - then turn off the Exchange AV and install a trial of Vamsoft ORF and then the problem will go away (with Recipient Filtering enabled).
0
 

Author Comment

by:ivugrinec
ID: 37827300
I have Exchange 2007 Hub transport role server published via Microsoft Forefront TMG. So i think it is "directly".

Recipient Filtering is (and was) enabled all this time as is most of the Antispma modules (DNS blocklists, etc).

Is there a Microsoft solution? I have no budget for 3rd party solution.
0
 

Author Comment

by:ivugrinec
ID: 37827304
Well ORF is preaty cheap. I will consider that as a solution.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37827322
I have never been a fan of the MS Anti-Spam and disable it on all servers I manage as it is too inflexible for my liking.  ORF is a very good and very cheap product and you don't have to renew it if you don't want to - and if you don't renew it, it will continue to work happily.  Should you then decide to upgrade to the latest version, you would have to buy it again.

$239 is a great price and I am sure you will like it and I can help you configure it if you have any questions.

Regarding the receipt of emails 'directly', if your MX record(s) point to your server's IP Address, then you receive email directly.  You can check this on www.mxtoolbox.com
0
 

Author Comment

by:ivugrinec
ID: 37827332
I receive my email directly.
Do you know if ORF is as good as GFI MailEssentials? Does ORF have a inteligent (bayesian, or statistical or some other mathematical, probability filter?
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 37827346
Don't know GFI Mail Essentials.  ORF doesn't use Bayesian or any other type of filtering - it looks primarily at the source of the email and if blacklisted, badly configured, lacking Reverse DNS etc, it will reject it.  It's major tool is Greylisting which temporarily rejects the first connection attempt from a new sender (which kills most spam immediately).  Upon the second send attempt, it will listen more readily to the connection and if the server passes al the other checks, it will let the email through.

Coupled with the Auto-Sender Whitelist, when an internal sender emails someone externally, it will add the Recipient to the Auto-Sender Whitelist and when the external Recipient replies to the internal user, the email goes through far fewer checks and usually just sails straight through.

As a guide, I have received 37 spam emails since January 2011.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question