I thought I'd send a little feedback to the list after some helpful direct
responses, further research and time has gone into the problem. I have
deduced:
- I am not the only person to experience this behavior as of late
- It is not an artifact of even the Exchange system, I have just been an
unfortunate target that could happen in any combination of system
- It is not a new attack exactly, it's just been a while since spammers have
been (lazy?) enough to target a single return address instead of many random
ones
- In the case when it happens there is not much to do systematically to
prevent it proactively, most steps are reactive after you have identified a
target.
- I was INCORRECT in stating that Outlook will not filter 'Undeliverable'
messages, Outlook 2003 (tested) will filter them just fine and just like
other messages.
- Therefore a reasonable solution is to create a rule in Outlook which
filters messages containing the subject 'Undeliverable' (or from the system
account if so desired) to a junk mail or other temporary folder.
Unfortunately, as best practice, the user really should look through these
messages to be sure none of the NDRs were legit before deleting. Leave this
rule active for a couple days until the attack has subsided, then delete the
rule. Yes, this solution only works if using Outlook although similar steps
could be taken for any client with rule-based sorting. This also does
nothing from stopping the messages from entering and passing through your
e-mail system.
- Finally, an alternate approach, if you have a configurable spam-filtering
system is to make a specific group or rule for this user to filter the NDRs
at the spam-filtering level, however this also could filter or tag legit
NDRs as SPAM, and again, this rule should be only applied to a specific
account temporarily until the attack subsided.
- There is no realistic way to completely seperate authentic NDRs from SPAM,
much as there is no way to completely seperate authentic e-mail from SPAM
aside from looking for specific patterns.
- Disabling NDRs is not very likely to be in your best interest as an
organization, and putting them through a SPAM training engine also seems
ill-advised.
Thanks for everyones help. Hopefully this is a temporary issue resulting
from some poor coding or config by the hackers and script-kiddies.
|