Hello, long time since a post here, hope everyone is well =)
I administer a few Exchange Servers, a majority are Exchange 2003 as are the
2 in relation to this issue. Twice in the last week I have seen users the
target of NDR attacks that have eluded spam filtering completely by 2
separate spam systems. From basic analysis, here is what I believe is
happening. An external spammer (bot, whatever) is assailing the internet w/
spoofed send addresses from a specific valid account in our system.
Whatever isn’t delivered successfully returns the NDR to our system.
Typical NDR and spamming behavior. The unique issue in both of these cases
is that the end-user seems to be a specific target and starts receiving
multiple NDRs / minute and essentially floods their mailbox. They appear as
authentic undeliverables in the user’s inbox but from what I am tracking
on our Exchange system they are not, and never have been in the outgoing Q.
Hence, they are not a relay attack of any sort which ever actually Q’d for
sending from our server.
Both systems have NDR reports enabled in ‘ESM � Global Settings �
Internet Messages’
I have read and agree it is unwise to globally disable NDRs to the point
where users don’t receive messages of failed sends
One system is entirely walled off from internet allowing only ‘HTTPS �
Exchange Web’ & ‘SMTP � Directly into Exchange’ using Symantec’s
Brightmail Spam Engine fully updated at attached on the single local server
where Exchange is installed. There are no relays allowed except the default
‘Allow from authenticated users’ which is standard practice for
Outlook/Exchange setup. All systems have fully updated AntiVirus running
and there are no signs of an internal virus outbreak.
My other/main system is more complex but is maintained full-time by me, all
domain systems are virus protected, up-to-date and showing no signs of
internal virus outbreak or even a sign of a single virus caught. The spam
system is a debian/postfix/amavis/etc customized setup similar to MSU mail.
Relaying is specifically allowed from this spam-filter to Exchange as it has
been for a couple years and is necessary for the forwarding from the
filtering system into exchange after the mail is scanned. There is no other
relaying allowed and all POP3 and IMAP services require authentication and
run on Secure channels. Outlook � Exchange connectivity is even channeled
over HTTPS entirely.
Both systems are fully patched, etc, etc.
Both are allowing these NDRs through in batch to a targeted user that is NOT
postmaster or an operator account. That is the odd and aggravating thing
and internet searches on the like are only showing small hints of isolated
similar issues starting around April 2008, and other links point back to
outdated Exchange 5.5 issues. I haven’t seen how to disable NDRs for a
particular person, nor do I really want to entirely. Filtering them inside
outlook on the client end is non-trivial because they are channeled as
non-standard ‘NDR’ messages and don’t seem to hit the Outlook filters
the same way as a normal message. Has anyone else experienced similar? Am
I missing a very fundamental basic setting to intelligently prevent
non-authentic NDRs? Are there signs there is a problem with my systems?
Have I missed a given major patch? I didn’t see any similar messages over
the last couple months to MSUNAG so I hope this isn’t a repeat.
Joseph M. Deming
Windows System Administrator
MATRIX/H-Net
310 Auditorium Building
East Lansing, MI 48824-1120
(517) 355-9300 x106
[log in to unmask]
PS, who do I contact to update the authorized e-mail address associated with
this list?
|
