Hello, long time since a post here, hope everyone is well =) I administer a few Exchange Servers, a majority are Exchange 2003 as are the 2 in relation to this issue. Twice in the last week I have seen users the target of NDR attacks that have eluded spam filtering completely by 2 separate spam systems. From basic analysis, here is what I believe is happening. An external spammer (bot, whatever) is assailing the internet w/ spoofed send addresses from a specific valid account in our system. Whatever isn’t delivered successfully returns the NDR to our system. Typical NDR and spamming behavior. The unique issue in both of these cases is that the end-user seems to be a specific target and starts receiving multiple NDRs / minute and essentially floods their mailbox. They appear as authentic undeliverables in the user’s inbox but from what I am tracking on our Exchange system they are not, and never have been in the outgoing Q. Hence, they are not a relay attack of any sort which ever actually Q’d for sending from our server. Both systems have NDR reports enabled in ‘ESM ïƒ Global Settings ïƒ Internet Messages’ I have read and agree it is unwise to globally disable NDRs to the point where users don’t receive messages of failed sends One system is entirely walled off from internet allowing only ‘HTTPS ïƒ Exchange Web’ & ‘SMTP ïƒ Directly into Exchange’ using Symantec’s Brightmail Spam Engine fully updated at attached on the single local server where Exchange is installed. There are no relays allowed except the default ‘Allow from authenticated users’ which is standard practice for Outlook/Exchange setup. All systems have fully updated AntiVirus running and there are no signs of an internal virus outbreak. My other/main system is more complex but is maintained full-time by me, all domain systems are virus protected, up-to-date and showing no signs of internal virus outbreak or even a sign of a single virus caught. The spam system is a debian/postfix/amavis/etc customized setup similar to MSU mail. Relaying is specifically allowed from this spam-filter to Exchange as it has been for a couple years and is necessary for the forwarding from the filtering system into exchange after the mail is scanned. There is no other relaying allowed and all POP3 and IMAP services require authentication and run on Secure channels. Outlook ïƒ Exchange connectivity is even channeled over HTTPS entirely. Both systems are fully patched, etc, etc. Both are allowing these NDRs through in batch to a targeted user that is NOT postmaster or an operator account. That is the odd and aggravating thing and internet searches on the like are only showing small hints of isolated similar issues starting around April 2008, and other links point back to outdated Exchange 5.5 issues. I haven’t seen how to disable NDRs for a particular person, nor do I really want to entirely. Filtering them inside outlook on the client end is non-trivial because they are channeled as non-standard ‘NDR’ messages and don’t seem to hit the Outlook filters the same way as a normal message. Has anyone else experienced similar? Am I missing a very fundamental basic setting to intelligently prevent non-authentic NDRs? Are there signs there is a problem with my systems? Have I missed a given major patch? I didn’t see any similar messages over the last couple months to MSUNAG so I hope this isn’t a repeat. Joseph M. Deming Windows System Administrator MATRIX/H-Net 310 Auditorium Building East Lansing, MI 48824-1120 (517) 355-9300 x106 [log in to unmask] PS, who do I contact to update the authorized e-mail address associated with this list?