Announcement

Collapse
No announcement yet.

reverse NDR attack exchange 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • reverse NDR attack exchange 2003

    Did some one experienced reverse NDR attack on sbs (exchange 2003)

    Please suggest preventive measure other than below which i have allready taken care.
    there is no open relay
    enabled recipient filter
    frozen all junk queues
    deleted message from those junk queues (however donot know how to remove those queue?? help!!)
    Rajeev

  • #2
    Re: reverse NDR attack exchange 2003

    enabled filter recipients not in directory is all you really need (make sure to also if it on the smtp virtual server, not just global settings.)

    As for cleanup, depends how much mail is queued, if it's not that bad manually clean queues otherwise use aqcliadm.

    http://jeremiahcook.blogspot.com/2004/08/aqadmcli.html

    Comment


    • #3
      Re: reverse NDR attack exchange 2003

      which all messages can be deleted by this tool (aqcliadm)

      Can we make selection for specific queues for deletion.
      Rajeev

      Comment


      • #4
        Re: reverse NDR attack exchange 2003

        Although i have frozen those smtp connectors in "queue" but i am still flooded with the new queue can some one suggest a way out. currently i have more than 16000 queues
        Last edited by rajeevsharma; 25th March 2009, 14:04.
        Rajeev

        Comment


        • #5
          Re: reverse NDR attack exchange 2003

          Find the ip address that is sending these emails by looking at the SMTP log, Message Tracking log, or the current SMTP connections and block the ip address at your firewall. If you can't block it at your firewall then block it on the Connection Filtering tab of the global Message Delivery settings. Once you have it blocked you can again clean up your queues to get rid of any remaining "bad" email.

          Comment

          Working...
          X