Announcement

Collapse
No announcement yet.

NDR Attack Responce, how do I suppress false NDR's?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NDR Attack Responce, how do I suppress false NDR's?

    The domain, nottherealname.com, is the victim of a reverse NDR attack. Several users are being flooded with returned NDR for messages they have not sent and originated from an unrecognized IP address. I am (trying to) maintain this Exchange 07, SP1 server. It is hosted on a 64-Win2k3, SP3 enterprise server. All exchange roles are on the same box. Dual, quad core 2.3GHz, 8 gig ram and 300 gig of disk. It's in an 03 AD, single domain, single forest. The server is hosting mailboxes for 200 users. The domain has a valid SPF record. I have employed several Exchange anti-spam offerings including Sender Reputation, Sender Filtering, Recipient Filters and Content Filtering.

    Sender Reputation block for 24 hours
    Sender Filtering blocks blank senders
    Recipient Filtering blocks recipients who are not in the GAL
    Content Filtering deletes messages which have a SCL of 8 or higher. message between 6 and 8 are quarantined. I have also added common keywords usually associated with NDRs to the custom words such as 'undeliverable'

    I suspect the filters are not working because NDR's are not recognized as standard messages and thus not scrutinized.

    I created a Transport Rule which sets any message which contains the word 'Undeliverable' to an SCL of 9. GFI Mail Essentials and Mail Securities is also being hosted on the box. The configuration of each are too elaborate to summarize here but if requested, I can offer those details as well. I have verified that GFI is not unintentionally whitelisting these same key words I am trying to deny. GFI does not offer any option to filter or deny NDRs. I have experience this issue before with another client. GFI support was able to offer a registry change which would reclassify NDRs as standard messages which they could then be filtered. I lost the notes on that.

    [email protected] has been substituted for the actual domain and user name as well as the server name, mail.nottherealname.com. Anonymous relay, open relay is not enabled on the Hub Transport. This is also supported by the fact that I cant find the original messages sent out of the exchange server and have verified with server online services, like Dnsstuff.com, that open relay is not on.

    So what are my defense options. I am even willing to consider disabling deliver notification for these users if need be. A NDR sample is below. More info can be provided upon request.

    Thanks
    DG




    Diagnostic information for administrators:

    Generating server: mx1.virtual-motive-division.com

    [email protected]
    #< #5.1.1> #SMTP#

    Original message headers:

    Return-Path: [email protected]
    X-Original-To: [email protected]
    Received: from fester (host19-23-dynamic.5-87-r.retail.telecomitalia.it
    [87.5.23.19]) by dd6906.kasserver.com (Postfix) with ESMTP id CCDB4D3208 for
    <[email protected]>; Sun, 16 Mar 2008 11:33:27 +0100 (CET)
    Received: from [87.5.23.19] by mail.nottherealdomain.com; , 16 Mar 2008 11:33:26 +0100
    Date: Sun, 16 Mar 2008 11:33:26 +0100
    From: EuroSoftware <[email protected]
    X-Mailer: The Bat! (v3.81.14 Beta) Professional
    Reply-To: <[email protected] >
    X-Priority: 3 (Normal)
    Message-ID: <[email protected] >
    To: <[email protected]>
    Subject: MS Office XP, MS Office 2007, Adobe Acrobat 8
    MIME-Version: 1.0
    Content-Type: multipart/alternative; boundary="----------E5B67125425B6EC"
    X-Antivirus: avast! (VPS 080314-0, 14/03/200, Outbound message
    X-Antivirus-Status: Clean
    X-Virus-Status: No
    X-Virus-Checker-Version: clamassassin 1.2.2 with clamdscan / ClamAV 0.91.1/6254/Sun Mar 16 09:27:35 2008
    X-Antivirus: avast! (VPS 080316-0, 16.03.200, Inbound message
    X-Antivirus-Status: Clean

  • #2
    Re: NDR Attack Responce, how do I suppress false NDR's?

    Hi dg,

    I've had the same thing with one of our users for a few days now. His NDRs are very similar - Eurosoftware / The Bat! etc. I've done similar things to make sure mail is definately not originating (or relaying) through our ex2k3 box.

    My current solution is to change his email address! Very frustrating......

    Comment


    • #3
      Re: NDR Attack Responce, how do I suppress false NDR's?

      http://support.microsoft.com/?kbid=294757

      http://spamlinks.net/prevent-secure-backscatter.htm

      interesting read about this problem:
      http://www.techzoom.net/paper-mailbomb.asp
      its easier to beg forgiveness than ask permission.
      Give karma where karma is due...

      Comment


      • #4
        Re: NDR Attack Responce, how do I suppress false NDR's?

        There is very little you can do.
        Your server has to accept the NDRs. What you do with them once it has is up to you. However most antispam applications cannot touch the NDRs once they are in Exchange because they are system messages.

        Disabling NDRs in Exchange will not help and could actually get your server blacklisted.
        Trying to block the delivery of the NDRs could also get the server blacklisted.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment

        Working...
        X