Link to home
Start Free TrialLog in
Avatar of HaulnSS
HaulnSS

asked on

Exchange messages being sent from postmaster@domainname.com

I have been battling a problem for a few days.  Exchange 2003 on SBS, email queue filling up with NDR from postmaster@domainname.com to random email addresses.  So, I think the server is an open relay.  Check all the settings and run it against mxlookup, it is not an open relay.  Then I think it has to be an reverse NDR attack, I checked the settings on Message Delivery and Filter recipients is checked.  I check the SMTP connector and can't honestly remember now if Recipient Filters was checked originally, but it is now.  I restart exchange and SMTP, still geting emails filling the queue.
I also get emails trying to be delivered locally to domainnameArchive@domainname.com.  This seems to be a cut and dry reverse NDR attack, but I can't seem to get the filtering to engage.
Any ideas are appreciated.  I travel a lot and may not respond quickly, but will respond.
Avatar of Simon Butler (Sembee)
Simon Butler (Sembee)
Flag of United Kingdom of Great Britain and Northern Ireland image

The filtering is probably working, it is just that you are having to deal with the after affects.
When a spammer finds a server he can abuse, he will abuse it - dumping 1000s of messages on to the server. Exchange cannot process them and the queue viewer doesn't display them all. Therefore it can take some hours to clear them.

http://exchange.sembee.info/2003/smtp/spam-cleanup.asp

You can verify that recipient filtering is enabled by using telnet to the server and trying to deliver to a non-valid recipient, it should get rejected.

Simon.
If your server was an Open Relay you wouldn't be seeing mail from Postmaster - you would be seeing mail from randomsender@randomdomain.com
Avatar of Nicolus
Nicolus

Hi there,

First let me give you some words of encouragement...  you will get through this... as much of a pain in the butt it is it is easily fixable if you follow these steps.

1 - In 100% of my experiance an NDR attack has been due to a transfer of password information to the bad guys.  So FIRST, run a solid antivirus / malware scan on everyone's PC.  second, change everyone's password.  AVAST AV has a great feature in that you can run a boot scan where it can scan the HD before the OS even loads so that it can check Windows files that are normally inaccessible to scans.

2 - Read this...  This is going to be your bible on this   http://exchange.sembee.info/2003/smtp/spam-cleanup.asp 

3 - You'll need to keep an eye on wheather or not you're blacklisted as a result of all this email traffic.

I'll keep my eye on this post for your response.
Test through telnet to check if your server is open for relay or not is a good option.
Changing password is one thing that should be done.
AV check on the concerned machine is another thing that is necessary
Exchange server should have its files excluded from being scanned by the AV also - as a best practise
Avatar of HaulnSS

ASKER

Thank you for the responses.  I have been watching MX blacklist closely and haven't seen the server black listed at anytime, which confuses me...  
Anyway, I have gone through the link above as a result of searching for information on this before asking question.  I do run into a snag however, when I telnet and type ehlo testdomain.com, I receive "500.3.3 Unrecognized command.
SOLUTION
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of HaulnSS

ASKER

Thank you alanhardisty, checkor site is currently unavailable.  Do you think it would take more than a couple days to clean up from NDR attack?  I have had to delete about 30 emails in the last several hours.
Darn websites!

Shouldn't take that long to clean it up - once Recipient Filtering is enabled that should take care of it.

If you want a more robust Anti-Spam solution, try Vamsoft ORF which is now available for Trial for 45 days instead of 30.  New version just released.

That should tidy up your problem for 45 days happily - then you just need to decide if you like it enough to buy it.
Avatar of HaulnSS

ASKER

I actually use GFI Mailessentials, however, while troubleshooting this problem, I uninstalled it.  The Exchange portion of this server is forwarding email to another domain.
Scenario:  Company was bought out and parent company wanted all emails added to their domain.  I am forwarding any email to a valid recipient to their email on the parent server.  This is just to make sure people they don't communicate with often, still are able to email the user.
Am I creating any problems by doing that?
Fair enough - bit overkill to uninstall it but not to worry.  I'd put it back as soon as you can.

Nope - that sounds fine.
How are you doing the forwarding?
Are you doing a blanket forward where no user exists?
It can take some time to clean up a server that is under NDR attack, I think my record is something like six hours. An abused server is a pain to clean up, and if you aren't careful you will lose legitimate email. Turning off port 25 on the firewall for a period can help.
If you have a PIX, then that can cause problems as well - more problems than it protects against.

Simon.
Avatar of HaulnSS

ASKER

Simon, actually using an ASA Cisco Firewall.  I am still getting new items introduced, looks like the emails are going to companynameArchive@domainname.com, and then being sent from postmast@domainname.com.
Still got several new ones in queue from this weekend.
ASA is just as bad. So bad that Microsoft have an article about it on their own web site:
http://support.microsoft.com/kb/320027

The issue though is how you are doing the forwarding that you mentioned above.

Simon.
Avatar of HaulnSS

ASKER

Sorry, forgot to answer that question.  I am forwarding individual emails, not a blanket forward.
If you are doing individual forwarding then you should be able to use recipient filtering to block these emails. If you were doing some kind of blanket forward then that wouldn't work as those methods depend on Exchange not recognising the user and sending it on.

Simon.
Avatar of HaulnSS

ASKER

I have tested recipient filtering, seems to be working with the exception of domainnameArchive@domainname.com I can send to that address and it sits in the Queue, under local delivery.  I get several messages in this queue a day.
Avatar of HaulnSS

ASKER

I am still getting several emails being sent daily via postmaster@domain.com
Are you sure those messages are coming from outside and not some internal process? It isn't an address format that I recongise.

Simon.
Avatar of HaulnSS

ASKER

I honestly don't know where they are coming from.  I can email the domainnameArchive@domainname.com from an outside address, and the server accepts it and it just sits there in local delivery.  That appears to be the only problem left, I haven't had emails going to random domains since yesterday.
Does it reject any other email address that you attempt to send to?
If not, then recipient filtering isn't working correctly.

Simon.
Avatar of HaulnSS

ASKER

Sembee2, It does reject all other random addresses I have tried to send to.  I can't figure out why it is accepting for that mailbox, since it doesn't exist.
The outgoing mail does seem to be rectified.  I tried so many things, I can't recall which item actually fixed it...
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of HaulnSS

ASKER

Sembee2, sorry for late reply.  You were right, it was a public folder.  Didn't know it existed.  I have all problems resolved.  Thank you!
Avatar of HaulnSS

ASKER

I had to split the points, since I originally had two problems that you both helped me solve.<br />Thank you!