Exchange 2010: Several DnsConnectorDelivery's In The Queue Viewer That Looks Like Spam

Posted on 2012-09-06
Last Modified: 2012-09-10
I found the following article that deals with a similar issue that I'm seeing, but I'm still wondering if someone is somehow able to send out spam through our MSExchange 2010 Server.

The reference says, "the default behavior for Exchange is to accept inbound mail completely and then checks the recipients. If there is no recipient on Exchange, an NDR will be sent back to the sender which in many cases of spam is faked or originated from all over the Internet. This is what I suspect happens to your server."

Also, I've suspended some of the connectors and then noticed that the messages don't get delivered; for example, I sent a message from my Gmail account and I noticed that the Gmail DnsConnectorDelivery popped up, so I suspended it to see what would happen. When suspended the messages from the Gmail domain don't get delivered until I resume the DnsConnectorDelivery (btw, the connectors that I suspect are Spam I have suspended and are setting in a suspended state now). FYI, we are running the Anti-Spam features and in Recipient Filtering we have selected, "Block messages sent to recipients that do not exist in the Directory."

Other factors are that our Default Receive Connector's Network Settings are set to the following:

Use These local IP Addresses To Receive Email:
(All Available IPv6) Port 25
(All Available IPv4) Port 25

Receive Mail From Remote Servers That Have These IP Addresses:
Start Address ::
End Address ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Start Address
End Address

And under Permissions all check boxes are selected.

Can I limit the addresses or permissions without breaking what's working? I'm not sure of the changes that need to happen if any.
Question by:Created
    LVL 35

    Assisted Solution

    Mmh, I guess a question with differnt aspects.

    Firt at all...
    an NDR is sent, when "Block messages sent to recipients that do not exist in the Directory."
    is disabled. Otherwise Exchnage refuses the connection. That means as far the sender sends the SMTP recipient information, exchnages cuts off the connection. The sending server will produce a message... Server don't like user....".

    If you have a lot of messages looking like spam, you may investigate the source and target of such mails. The one option is, that your server really produces NDRs and tries to send them out. This may happen, if a sender uses differnt e-mail addresses as target, where only one or a few are valid.
    The other option is (should not happen with your settings), if somebody sends spam with your e-mail domain as sender. If the NDR comes back, you have something like a loop.

    Having multiple connections to the outside world in general is nothing unusual, if one internal sender sends e-mail to a lot of recipients, you get a lot of connections in the queue.

    If you have outgoing targets, which are suspicious, you may investigate the mail in the queue to see, what you can find inside. Sending mails to a bunch of users with at least one valid adress is a way, to knock out the setting you made to avoid it.

    Maybe it is an idea to work with IP  block list providers like spamcop or spamhaus, this can catch such mails before they reach the queue. The effect is the same. If a sender IP is blacklisted, the exchange just cuts the connection.

    Author Comment

    When I view the messages in the General tab from the Queue Viewer they all have the following:

    From Address: <>
    Message Source Name: DSN
    Source IP
    SCL: -1

    Note: the recipient in this case is not real and is being used as an example. However the recipients that I'm seeing are real email addresses and are not destined for anyone in our domain. They very much look like spam type addresses.
    LVL 14

    Assisted Solution

    Looks like a Reverse NDR attack.

    You can put a stop to it by enabling Recipient Validation - use this command:
    Set-RecipientFilterConfig -RecipientValidationEnabled $true


    If that doesn't work (and it should have worked) here is one guy's very creative alternative fix:
    LVL 35

    Accepted Solution

    Recepient filter is set as I can understand...

    And is is a classic NDR

    The point with such mails is, that either somebody send you mails with a couple of recipients, where at least one of them is valid. This way they either find more valid addresses (everything what doesn't come back), or it is just a trick to try to pass the limitations.

    The solution is to keep out such mail at all.
    Kaffient postet one method - a smarthost -, this moves the filtering task to a provider - I usually to prefer to use blacklist databases. At leset they filter out nearly 99%

    You can try it...
    Just add to your IP Block List providers (Exchange Antispam),,,
    one or all of them....

    Author Comment

    Thanks for the replys. So it does look like I've got a Reverse NDR Attack of some sort on my hands, I'm thinking it's looking more like Directory Harvesting after looking into it further.

    Yes the Recipient Filtering is already set to True as mentioned it was turned on by selecting the check box "Block messages sent to recipients that do not exist in the Directory."

    Also, we have been using Spamhaus as one of the IP Block List Providers. Maybe it's not enough, I don't know, so I'm going to add some of the others and see if that helps.

    I have also seen that disabling NDRs might help with this issue, but then legitimate senders will not see bounced messages if they wrongly type in an email address. Any other suggestions on how to deal with these issues?
    LVL 35

    Assisted Solution

    > I have also seen that disabling NDRs might...
    yes you are right, if affect also legitimated NDRs....

    You will never be able to filter all of such tries, but if you can limit it to a normal amount of false NDRs your exchange can live with this in my mind. Exchnage will throw them out after a while.

    Otherwise you have to invest in additional spam filter technology and as more close you want to reach the 100%, as more expensive it will be.

    Author Comment

    I now have a better understanding of what might be going on with the Exchange Queue and can see that its some sort of reverse NDR attack and can look into to taking appropriate actions. However, I'm still not sure or confident that my email server is not being used somehow to send out spam. Hopefully any attempts die before going out. How can I be sure that I'm not somehow relaying spam?
    LVL 35

    Assisted Solution

    You can use these tools...

    But I'm quite sure, if you server would be open, your server will have thousands of such messages. And it would be blacklisted. Make also the blacklist test on this site....

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Shouldn't all users have the same email signature?

    You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

    Set up iPhone and iPad email signatures to always send in high-quality HTML with this step-by step guide.
    Create high volume marketing opportunities using email signatures with these top 10 DOs and DON'Ts of email signature marketing.
    This tutorial will show how to inventory, catalog, and restore media from legacy versions of Backup Exec into both 2012 and 2014 versions of the software. Select Storage from the tabs along the ribbon bar as the top: Ensure the proper storage devi…
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now