Print

---

Hello, long time since a post here, hope everyone is well =) 

I administer a few Exchange Servers, a majority are Exchange 2003 as are the 
2 in relation to this issue.  Twice in the last week I have seen users the 
target of NDR attacks that have eluded spam filtering completely by 2 
separate spam systems.  From basic analysis, here is what I believe is 
happening.  An external spammer (bot, whatever) is assailing the internet w/ 
spoofed send addresses from a specific valid account in our system.  
Whatever isn’t delivered successfully returns the NDR to our system.  
Typical NDR and spamming behavior.  The unique issue in both of these cases 
is that the end-user seems to be a specific target and starts receiving 
multiple NDRs / minute and essentially floods their mailbox.  They appear as 
authentic undeliverables in the user’s inbox but from what I am tracking 
on our Exchange system they are not, and never have been in the outgoing Q.  
Hence, they are not a relay attack of any sort which ever actually Q’d for 
sending from our server. 

Both systems have NDR reports enabled in ‘ESM ïƒ  Global Settings ïƒ  
Internet Messages’
I have read and agree it is unwise to globally disable NDRs to the point 
where users don’t receive messages of failed sends 

One system is entirely walled off from internet allowing only ‘HTTPS ïƒ  
Exchange Web’ &  ‘SMTP ïƒ  Directly into Exchange’ using Symantec’s 
Brightmail Spam Engine fully updated at attached on the single local server 
where Exchange is installed.  There are no relays allowed except the default 
‘Allow from authenticated users’ which is standard practice for 
Outlook/Exchange setup.  All systems have fully updated AntiVirus running 
and there are no signs of an internal virus outbreak. 

My other/main system is more complex but is maintained full-time by me, all 
domain systems are virus protected, up-to-date and showing no signs of 
internal virus outbreak or even a sign of a single virus caught.  The spam 
system is a debian/postfix/amavis/etc customized setup similar to MSU mail.  
Relaying is specifically allowed from this spam-filter to Exchange as it has 
been for a couple years and is necessary for the forwarding from the 
filtering system into exchange after the mail is scanned.  There is no other 
relaying allowed and all POP3 and IMAP services require authentication and 
run on Secure channels.  Outlook ïƒ  Exchange connectivity is even channeled 
over HTTPS entirely. 

Both systems are fully patched, etc, etc. 

Both are allowing these NDRs through in batch to a targeted user that is NOT 
postmaster or an operator account.  That is the odd and aggravating thing 
and internet searches on the like are only showing small hints of isolated 
similar issues starting around April 2008, and other links point back to 
outdated Exchange 5.5 issues.  I haven’t seen how to disable NDRs for a 
particular person, nor do I really want to entirely.   Filtering them inside 
outlook on the client end is non-trivial because they are channeled as 
non-standard ‘NDR’ messages and don’t seem to hit the Outlook filters 
the same way as a normal message.  Has anyone else experienced similar?  Am 
I missing a very fundamental basic setting to intelligently prevent 
non-authentic NDRs?  Are there signs there is a problem with my systems?  
Have I missed a given major patch?  I didn’t see any similar messages over 
the last couple months to MSUNAG so I hope this isn’t a repeat. 


Joseph M. Deming
Windows System Administrator
MATRIX/H-Net
310 Auditorium Building
East Lansing, MI 48824-1120
(517) 355-9300 x106
[log in to unmask] 

PS, who do I contact to update the authorized e-mail address associated with 
this list?