Very Frustrating

Very Frustrating (Full Version)

All Forums >> [Microsoft Exchange 2003] >> General

Message

Randy Temple -> Very Frustrating (27.May2004 6:53:00 PM)
Ok i have about 147 queues with over 1000 messages in my queue. I know i am not being relayed becuase i have taken the proper percautions. I have figured out what is happening. The spammer sends a helo statement to my mail server. He uses the mail from command puts in a bogus email like asdf@company.com. I tested a bogus email liek this and my mail server accepted it. then he types in the destination address. Since they can not relay my server is busy sending ndr to non existant accoutns. Anyway to stop this from happening. I do not want my server to accept only mail from command from people within our domain. IS this possible?

Randy Temple -> RE: Very Frustrating (27.May2004 6:59:00 PM)
The main problem is these messages keep trying to re-send, Since my mail server will not relay the email it is trying to send an NDR out. It cant do this because it is not a valid email address. I really do not want to turn of the NDR option becuase i would like my users to know if thier email didnt go through, but i also do not want to see a ton of queues everytime i go into my esm. Has anyone else come across this problem?

Randy Temple -> RE: Very Frustrating (27.May2004 7:02:00 PM)
I found out what is happening: a reverse ndr attack! What is a "Reverse NDR" attack? -------------------------------------------------------------------------------- CMS announced RNDR. Now other "rediscover" it. In 2003 CMS issued an RNDR spam warning in a press release. Some were publicly skeptical, but now others have "rediscovered" RNDR. Read story... -------------------------------------------------------------------------------- Some claim that RNDR spam is all hype and fabrication, but these people would disagree... Customer Quote: This (NDR Attack) has been a big problem for us, particularly over night, when our exchange server was sending our great batches of NDRs in response to randomly chosen email addresses at our domain. Stephen H. IT Mgr - KCE Europe Customer Quote: The product [Praetor] was suggested by Microsoft Tech Support to address an NDR SPAM attack on our server... Private School Principal New Jersey Customer Quote: "We called Microsoft Support about the reverse NDR problem only to find out that Microsoft doesn't have a solution for it." Referred to CMS, Praetor was the solution to halt RNDR attacks. Stephan van Heerden IT Administrator Media Profile Is your email RNDR safe? TAKE THE TEST CMS RNDR Press Release READ... Spammers have a new means to avoid filters built into many systems. They take advantage of a mail systems sending of a non-delivery report (NDR) when a message cannot be delivered as addressed and returns the original contents. CMS calls this a "Reverse NDR attack" (RNDR). A few customers have experienced this, some so badly that over 33% of their Internet messages are attributed to this type of spam. The end result is the spammer has attained a new form of mail relaying. Your server's resources are being stolen to deliver spam. -------------------------------------------------------------------------------- How does a "Reverse NDR" attack work? Step 1 Spam email is created with the intended spam victim's address in the sender field and a random, fictitious recipient, at your domain, in the To: field. Step 2 Your mail server cannot deliver the message and sends an NDR email back to what appears to be the sender of the original message, the spam victim. Step 3 The return email carries the non-delivery report and possibly the original spam message. Thinking it is email they sent, the spam victim reads the NDR and the included spam. -------------------------------------------------------------------------------- What are the symptoms of a RNDR attack? Sluggish email delivery Outbound queues full of non-delivery notices Excessive admin time to clear outbound queues If you are experiencing any of the above, chances are good your mail server is under attack. I HATE SPAMMERS!

wtb5 -> RE: Very Frustrating (27.May2004 7:22:00 PM)
and IÆm betting that Microsoft thought net-admins would never want to turn off non-delivery replies ......

Randy Temple -> RE: Very Frustrating (27.May2004 7:33:00 PM)
Funny i was looking a poking through articles this has been around since 5.5 i just have never had the pleasur of dealing with it. Funny they have know about it forever and have yet to try to accomplish anything to solve the problem. Yes the new esm is great but make modifications to new releases that effect the end user in the greater scheme, being i want to send and recieve mail with little hassells in its simplest form. Microsoft quote "purchase 3rd party software to combat the issue" Nice answer.

wtb5 -> RE: Very Frustrating (28.May2004 7:02:00 PM)
If you go to the GFI site and do a search in their knowledge base for ôreverse NDRö they have a document (Article ID: KBID002019)that gives a suggestion to get around this issue: +++++++ How can I block emails that are arriving to email addresses that do not exist in my Exchange server? The information in this article applies to: GFI MailEssentials for Exchange/SMTP 9 GFI MailSecurity for Exchange/SMTP 8 Article ID: KBID002019 Query keywords: Accepting emails only for valid email addresses in your domain can only be done if you are using Exchange 2003. Previous versions of Exchange server did not have this functionality. Please follow this procedure to enable Exchange server 2003 to allow emails only for valid recipients: A. Enable filtering for recipients which are not found in Active Directory. 1. Open Exchange System Manager -> Global Settings -> right-click on Message Delivery and choose Properties. 3. Change to the "Recipient Filtering" tab 4. Enable the option "Filter recipients who are not in the Directory" 5. Click OK to close the window and save your changes. B. Enable the recipient filter on the SMTP Virtual Server. This will only need to be enabled on the SMTP virtual server that is receiving emails from the internet. 1. Open Exchange System Manager -> Administrative Groups -> Administrative Group Name -> Servers -> Protocols -> SMTP. 2. Right-click on the SMTP Virtual Server and select Properties 3. On the "General" tab click the "Advanced..." button 4. Choose the IP binding that that is listening on the Internet. Click the "Edit..." button. 5. Enable the option "Apply Recipient Filter" 6. Click OK through all the windows to save your changes. When someone tries to send an email to a user that does not exist in your Active Directory domain, they will receive the error: 550 5.5.1 User unknown The email is not received by Exchange server, since the error is given during the SMTP transmission. NOTES: 1. Enabling Exchange server to refuse connections for emails that are destined to not existing email addresses can allow spammers to build a list of valid email addresses in your domain. 2. Recently spammers have been trying to send emails to invalid email address. These will result in an NDR, however since the FROM email address of the original email would be the spammers target, the NDR would be sent to the spammers target. Enabling the above setting will help decrease these emails.

Randy Temple -> RE: Very Frustrating (28.May2004 7:24:00 PM)
Yea i went through the process and have denied many sites access to my exchange server. Seriously i think myslef and a tech could spend all day everyday trying to stop all the spam that comes in. Currently we are talking with MCI that has spam filteration and virus protection. It will do an integrity analysis, heuristic detection, bayesian filtering, content filtering, allows for black and white lists. We get to test it out for a month so if it works i will post something up.

Randy Temple -> RE: Very Frustrating (28.May2004 7:27:00 PM)
Good post though i will try the filtering.

CGTech -> RE: Very Frustrating (1.Jun.2004 7:19:00 PM)
Good post guys, I read this and realized it was exactly the same problem I have been dealing with.

lalala -> RE: Very Frustrating (6.Jul.2004 10:23:00 AM)
with reference to the post from user :wtb5 ,it is sad that we cannot config the m$ exchange 2000 server to fix that problem(but the exchange 2003 can) to fix the problem , anyone try ORF(open relay filter) from vamsoft.com can help the exchange 2000 ??

Page: [1]