• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Very Frustrating

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> General >> Very Frustrating Page: [1]
Login
Message << Older Topic   Newer Topic >>
Very Frustrating - 27.May2004 6:53:00 PM   
Randy Temple

 

Posts: 158
Joined: 1.Aug.2002
From: Michigan
Status: offline
Ok i have about 147 queues with over 1000 messages in my queue. I know i am not being relayed becuase i have taken the proper percautions. I have figured out what is happening. The spammer sends a helo statement to my mail server. He uses the mail from command puts in a bogus email like asdf@company.com. I tested a bogus email liek this and my mail server accepted it. then he types in the destination address. Since they can not relay my server is busy sending ndr to non existant accoutns. Anyway to stop this from happening. I do not want my server to accept only mail from command from people within our domain. IS this possible?
Post #: 1
RE: Very Frustrating - 27.May2004 6:59:00 PM   
Randy Temple

 

Posts: 158
Joined: 1.Aug.2002
From: Michigan
Status: offline
The main problem is these messages keep trying to re-send, Since my mail server will not relay the email it is trying to send an NDR out. It cant do this because it is not a valid email address. I really do not want to turn of the NDR option becuase i would like my users to know if thier email didnt go through, but i also do not want to see a ton of queues everytime i go into my esm. Has anyone else come across this problem?

(in reply to Randy Temple)
Post #: 2
RE: Very Frustrating - 27.May2004 7:02:00 PM   
Randy Temple

 

Posts: 158
Joined: 1.Aug.2002
From: Michigan
Status: offline
I found out what is happening: a reverse ndr attack!

What is a "Reverse NDR" attack?
--------------------------------------------------------------------------------
CMS announced RNDR. Now other "rediscover" it.

In 2003 CMS issued an RNDR spam warning in a press release.

Some were publicly skeptical, but now others have "rediscovered" RNDR.

Read story...

--------------------------------------------------------------------------------

Some claim that RNDR spam is all hype and fabrication, but these people would disagree...

Customer Quote: This (NDR Attack) has been a big problem for us, particularly over night, when our exchange server was sending our great batches of NDRs in response to randomly chosen email addresses at our domain.

Stephen H. IT Mgr - KCE Europe

Customer Quote: The product [Praetor] was suggested by Microsoft Tech Support to address an NDR SPAM attack on our server...

Private School Principal
New Jersey

Customer Quote: "We called Microsoft Support about the reverse NDR problem only to find out that Microsoft doesn't have a solution for it."

Referred to CMS, Praetor was the solution to halt RNDR attacks.

Stephan van Heerden
IT Administrator
Media Profile


Is your email RNDR safe?
TAKE THE TEST

CMS RNDR
Press Release
READ...

Spammers have a new means to avoid filters built into many systems. They take advantage of a mail systems sending of a non-delivery report (NDR) when a message cannot be delivered as addressed and returns the original contents.

CMS calls this a "Reverse NDR attack" (RNDR). A few customers have experienced this, some so badly that over 33% of their Internet messages are attributed to this type of spam.

The end result is the spammer has attained a new form of mail relaying. Your server's resources are being stolen to deliver spam.


--------------------------------------------------------------------------------
How does a "Reverse NDR" attack work?
Step 1 Spam email is created with the intended spam victim's address in the sender field and a random, fictitious recipient, at your domain, in the To: field.
Step 2 Your mail server cannot deliver the message and sends an NDR email back to what appears to be the sender of the original message, the spam victim.
Step 3 The return email carries the non-delivery report and possibly the original spam message. Thinking it is email they sent, the spam victim reads the NDR and the included spam.

--------------------------------------------------------------------------------
What are the symptoms of a RNDR attack?
Sluggish email delivery
Outbound queues full of non-delivery notices
Excessive admin time to clear outbound queues

If you are experiencing any of the above, chances are good your mail server is under attack.

I HATE SPAMMERS!

(in reply to Randy Temple)
Post #: 3
RE: Very Frustrating - 27.May2004 7:22:00 PM   
wtb5

 

Posts: 29
Joined: 5.Mar.2004
From: NY
Status: offline
and IĂm betting that Microsoft thought net-admins would never want to turn off non-delivery replies ......

(in reply to Randy Temple)
Post #: 4
RE: Very Frustrating - 27.May2004 7:33:00 PM   
Randy Temple

 

Posts: 158
Joined: 1.Aug.2002
From: Michigan
Status: offline
Funny i was looking a poking through articles this has been around since 5.5 i just have never had the pleasur of dealing with it. Funny they have know about it forever and have yet to try to accomplish anything to solve the problem. Yes the new esm is great but make modifications to new releases that effect the end user in the greater scheme, being i want to send and recieve mail with little hassells in its simplest form. Microsoft quote "purchase 3rd party software to combat the issue" Nice answer.

(in reply to Randy Temple)
Post #: 5
RE: Very Frustrating - 28.May2004 7:02:00 PM   
wtb5

 

Posts: 29
Joined: 5.Mar.2004
From: NY
Status: offline
If you go to the GFI site and do a search in their knowledge base for ˘reverse NDR÷ they have a document (Article ID: KBID002019)that gives a suggestion to get around this issue:

+++++++
How can I block emails that are arriving to email addresses that do not exist in my Exchange server?

The information in this article applies to:
GFI MailEssentials for Exchange/SMTP 9
GFI MailSecurity for Exchange/SMTP 8

Article ID: KBID002019
Query keywords:

Accepting emails only for valid email addresses in your domain can only be done if you are using Exchange 2003. Previous versions of Exchange server did not have this functionality.

Please follow this procedure to enable Exchange server 2003 to allow emails only for valid recipients:

A. Enable filtering for recipients which are not found in Active Directory.

1. Open Exchange System Manager -> Global Settings -> right-click on Message Delivery and choose Properties.
3. Change to the "Recipient Filtering" tab
4. Enable the option "Filter recipients who are not in the Directory"
5. Click OK to close the window and save your changes.

B. Enable the recipient filter on the SMTP Virtual Server. This will only need to be enabled on the SMTP virtual server that is receiving emails from the internet.

1. Open Exchange System Manager -> Administrative Groups -> Administrative Group Name -> Servers -> Protocols -> SMTP.
2. Right-click on the SMTP Virtual Server and select Properties
3. On the "General" tab click the "Advanced..." button
4. Choose the IP binding that that is listening on the Internet. Click the "Edit..." button.
5. Enable the option "Apply Recipient Filter"
6. Click OK through all the windows to save your changes.

When someone tries to send an email to a user that does not exist in your Active Directory domain, they will receive the error:
550 5.5.1 User unknown

The email is not received by Exchange server, since the error is given during the SMTP transmission.

NOTES:
1. Enabling Exchange server to refuse connections for emails that are destined to not existing email addresses can allow spammers to build a list of valid email addresses in your domain.

2. Recently spammers have been trying to send emails to invalid email address. These will result in an NDR, however since the FROM email address of the original email would be the spammers target, the NDR would be sent to the spammers target. Enabling the above setting will help decrease these emails.

(in reply to Randy Temple)
Post #: 6
RE: Very Frustrating - 28.May2004 7:24:00 PM   
Randy Temple

 

Posts: 158
Joined: 1.Aug.2002
From: Michigan
Status: offline
Yea i went through the process and have denied many sites access to my exchange server. Seriously i think myslef and a tech could spend all day everyday trying to stop all the spam that comes in. Currently we are talking with MCI that has spam filteration and virus protection.
It will do an integrity analysis, heuristic detection, bayesian filtering, content filtering, allows for black and white lists. We get to test it out for a month so if it works i will post something up.

(in reply to Randy Temple)
Post #: 7
RE: Very Frustrating - 28.May2004 7:27:00 PM   
Randy Temple

 

Posts: 158
Joined: 1.Aug.2002
From: Michigan
Status: offline
Good post though i will try the filtering.

(in reply to Randy Temple)
Post #: 8
RE: Very Frustrating - 1.Jun.2004 7:19:00 PM   
CGTech

 

Posts: 2
Joined: 1.Jun.2004
From: Atlantic Canada
Status: offline
Good post guys, I read this and realized it was exactly the same problem I have been dealing with.

(in reply to Randy Temple)
Post #: 9
RE: Very Frustrating - 6.Jul.2004 10:23:00 AM   
lalala

 

Posts: 1
Joined: 6.Jul.2004
From: HK
Status: offline
with reference to the post from user :wtb5 ,it is sad that we cannot config the m$ exchange 2000 server to fix that problem(but the exchange 2003 can)

to fix the problem , anyone try ORF(open relay filter) from vamsoft.com can help the exchange 2000 ??

(in reply to Randy Temple)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> General >> Very Frustrating Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter