Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Very Frustrating
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Very Frustrating - 27.May2004 6:53:00 PM
|
|
|
Randy Temple
Posts: 158
Joined: 1.Aug.2002
From: Michigan
Status: offline
|
Ok i have about 147 queues with over 1000 messages in my queue. I know i am not being relayed becuase i have taken the proper percautions. I have figured out what is happening. The spammer sends a helo statement to my mail server. He uses the mail from command puts in a bogus email like asdf@company.com. I tested a bogus email liek this and my mail server accepted it. then he types in the destination address. Since they can not relay my server is busy sending ndr to non existant accoutns. Anyway to stop this from happening. I do not want my server to accept only mail from command from people within our domain. IS this possible?
|
|
|
|
|
RE: Very Frustrating - 27.May2004 6:59:00 PM
|
|
|
Randy Temple
Posts: 158
Joined: 1.Aug.2002
From: Michigan
Status: offline
|
The main problem is these messages keep trying to re-send, Since my mail server will not relay the email it is trying to send an NDR out. It cant do this because it is not a valid email address. I really do not want to turn of the NDR option becuase i would like my users to know if thier email didnt go through, but i also do not want to see a ton of queues everytime i go into my esm. Has anyone else come across this problem?
|
|
|
|
|
RE: Very Frustrating - 27.May2004 7:02:00 PM
|
|
|
Randy Temple
Posts: 158
Joined: 1.Aug.2002
From: Michigan
Status: offline
|
I found out what is happening: a reverse ndr attack!
What is a "Reverse NDR" attack?
--------------------------------------------------------------------------------
CMS announced RNDR. Now other "rediscover" it.
In 2003 CMS issued an RNDR spam warning in a press release.
Some were publicly skeptical, but now others have "rediscovered" RNDR.
Read story...
--------------------------------------------------------------------------------
Some claim that RNDR spam is all hype and fabrication, but these people would disagree...
Customer Quote: This (NDR Attack) has been a big problem for us, particularly over night, when our exchange server was sending our great batches of NDRs in response to randomly chosen email addresses at our domain.
Stephen H. IT Mgr - KCE Europe
Customer Quote: The product [Praetor] was suggested by Microsoft Tech Support to address an NDR SPAM attack on our server...
Private School Principal
New Jersey
Customer Quote: "We called Microsoft Support about the reverse NDR problem only to find out that Microsoft doesn't have a solution for it."
Referred to CMS, Praetor was the solution to halt RNDR attacks.
Stephan van Heerden
IT Administrator
Media Profile
Is your email RNDR safe?
TAKE THE TEST
CMS RNDR
Press Release
READ...
Spammers have a new means to avoid filters built into many systems. They take advantage of a mail systems sending of a non-delivery report (NDR) when a message cannot be delivered as addressed and returns the original contents.
CMS calls this a "Reverse NDR attack" (RNDR). A few customers have experienced this, some so badly that over 33% of their Internet messages are attributed to this type of spam.
The end result is the spammer has attained a new form of mail relaying. Your server's resources are being stolen to deliver spam.
--------------------------------------------------------------------------------
How does a "Reverse NDR" attack work?
Step 1 Spam email is created with the intended spam victim's address in the sender field and a random, fictitious recipient, at your domain, in the To: field.
Step 2 Your mail server cannot deliver the message and sends an NDR email back to what appears to be the sender of the original message, the spam victim.
Step 3 The return email carries the non-delivery report and possibly the original spam message. Thinking it is email they sent, the spam victim reads the NDR and the included spam.
--------------------------------------------------------------------------------
What are the symptoms of a RNDR attack?
Sluggish email delivery
Outbound queues full of non-delivery notices
Excessive admin time to clear outbound queues
If you are experiencing any of the above, chances are good your mail server is under attack.
I HATE SPAMMERS!
|
|
|
|
|
RE: Very Frustrating - 27.May2004 7:22:00 PM
|
|
|
wtb5
Posts: 29
Joined: 5.Mar.2004
From: NY
Status: offline
|
and IÆm betting that Microsoft thought net-admins would never want to turn off non-delivery replies ......
|
|
|
|
|
RE: Very Frustrating - 27.May2004 7:33:00 PM
|
|
|
Randy Temple
Posts: 158
Joined: 1.Aug.2002
From: Michigan
Status: offline
|
Funny i was looking a poking through articles this has been around since 5.5 i just have never had the pleasur of dealing with it. Funny they have know about it forever and have yet to try to accomplish anything to solve the problem. Yes the new esm is great but make modifications to new releases that effect the end user in the greater scheme, being i want to send and recieve mail with little hassells in its simplest form. Microsoft quote "purchase 3rd party software to combat the issue" Nice answer.
|
|
|
|
|
RE: Very Frustrating - 28.May2004 7:02:00 PM
|
|
|
wtb5
Posts: 29
Joined: 5.Mar.2004
From: NY
Status: offline
|
If you go to the GFI site and do a search in their knowledge base for ôreverse NDRö they have a document (Article ID: KBID002019)that gives a suggestion to get around this issue:
+++++++
How can I block emails that are arriving to email addresses that do not exist in my Exchange server?
The information in this article applies to:
GFI MailEssentials for Exchange/SMTP 9
GFI MailSecurity for Exchange/SMTP 8
Article ID: KBID002019
Query keywords:
Accepting emails only for valid email addresses in your domain can only be done if you are using Exchange 2003. Previous versions of Exchange server did not have this functionality.
Please follow this procedure to enable Exchange server 2003 to allow emails only for valid recipients:
A. Enable filtering for recipients which are not found in Active Directory.
1. Open Exchange System Manager -> Global Settings -> right-click on Message Delivery and choose Properties.
3. Change to the "Recipient Filtering" tab
4. Enable the option "Filter recipients who are not in the Directory"
5. Click OK to close the window and save your changes.
B. Enable the recipient filter on the SMTP Virtual Server. This will only need to be enabled on the SMTP virtual server that is receiving emails from the internet.
1. Open Exchange System Manager -> Administrative Groups -> Administrative Group Name -> Servers -> Protocols -> SMTP.
2. Right-click on the SMTP Virtual Server and select Properties
3. On the "General" tab click the "Advanced..." button
4. Choose the IP binding that that is listening on the Internet. Click the "Edit..." button.
5. Enable the option "Apply Recipient Filter"
6. Click OK through all the windows to save your changes.
When someone tries to send an email to a user that does not exist in your Active Directory domain, they will receive the error:
550 5.5.1 User unknown
The email is not received by Exchange server, since the error is given during the SMTP transmission.
NOTES:
1. Enabling Exchange server to refuse connections for emails that are destined to not existing email addresses can allow spammers to build a list of valid email addresses in your domain.
2. Recently spammers have been trying to send emails to invalid email address. These will result in an NDR, however since the FROM email address of the original email would be the spammers target, the NDR would be sent to the spammers target. Enabling the above setting will help decrease these emails.
|
|
|
|
|
RE: Very Frustrating - 28.May2004 7:24:00 PM
|
|
|
Randy Temple
Posts: 158
Joined: 1.Aug.2002
From: Michigan
Status: offline
|
Yea i went through the process and have denied many sites access to my exchange server. Seriously i think myslef and a tech could spend all day everyday trying to stop all the spam that comes in. Currently we are talking with MCI that has spam filteration and virus protection.
It will do an integrity analysis, heuristic detection, bayesian filtering, content filtering, allows for black and white lists. We get to test it out for a month so if it works i will post something up.
|
|
|
|
RE: Very Frustrating - 28.May2004 7:27:00 PM
|
|
|
Randy Temple
Posts: 158
Joined: 1.Aug.2002
From: Michigan
Status: offline
|
Good post though i will try the filtering.
|
|
|
|
|
RE: Very Frustrating - 1.Jun.2004 7:19:00 PM
|
|
|
CGTech
Posts: 2
Joined: 1.Jun.2004
From: Atlantic Canada
Status: offline
|
Good post guys, I read this and realized it was exactly the same problem I have been dealing with.
|
|
|
|
|
RE: Very Frustrating - 6.Jul.2004 10:23:00 AM
|
|
|
lalala
Posts: 1
Joined: 6.Jul.2004
From: HK
Status: offline
|
with reference to the post from user :wtb5 ,it is sad that we cannot config the m$ exchange 2000 server to fix that problem(but the exchange 2003 can)
to fix the problem , anyone try ORF(open relay filter) from vamsoft.com can help the exchange 2000 ??
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
