 |
 |
I thought I'd send a little feedback to the list after some helpful direct responses, further research and time has gone into the problem. I have deduced: - I am not the only person to experience this behavior as of late - It is not an artifact of even the Exchange system, I have just been an unfortunate target that could happen in any combination of system - It is not a new attack exactly, it's just been a while since spammers have been (lazy?) enough to target a single return address instead of many random ones - In the case when it happens there is not much to do systematically to prevent it proactively, most steps are reactive after you have identified a target. - I was INCORRECT in stating that Outlook will not filter 'Undeliverable' messages, Outlook 2003 (tested) will filter them just fine and just like other messages. - Therefore a reasonable solution is to create a rule in Outlook which filters messages containing the subject 'Undeliverable' (or from the system account if so desired) to a junk mail or other temporary folder. Unfortunately, as best practice, the user really should look through these messages to be sure none of the NDRs were legit before deleting. Leave this rule active for a couple days until the attack has subsided, then delete the rule. Yes, this solution only works if using Outlook although similar steps could be taken for any client with rule-based sorting. This also does nothing from stopping the messages from entering and passing through your e-mail system. - Finally, an alternate approach, if you have a configurable spam-filtering system is to make a specific group or rule for this user to filter the NDRs at the spam-filtering level, however this also could filter or tag legit NDRs as SPAM, and again, this rule should be only applied to a specific account temporarily until the attack subsided. - There is no realistic way to completely seperate authentic NDRs from SPAM, much as there is no way to completely seperate authentic e-mail from SPAM aside from looking for specific patterns. - Disabling NDRs is not very likely to be in your best interest as an organization, and putting them through a SPAM training engine also seems ill-advised. Thanks for everyones help. Hopefully this is a temporary issue resulting from some poor coding or config by the hackers and script-kiddies.