Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Were we an open relay, NDR's or glitch? SBS 2003 Exchange

0 views
Skip to first unread message

mjse...@gmail.com

unread,
Oct 16, 2005, 11:59:00 AM10/16/05
to
Hi all,

Well I've looked around but can't find the exact symptoms we had. The
other day the net connection got very slow, caused by a load of data
being sent from the server (2003 SBS). On inspection i found exchange
had queues with thousands of emails in them. My initial thought was
that I was an open relay. However, i'm not so sure.

On inspection, ALL of the around 8000 emails in the queues were to one
of two addresses. One was an AOL account and one a Demon account, both
clients of ours. There were a load of identical emails going to the
Demon address, then another load emails going to the AOL address.
Finally there were a load of emails from postmaster@mydomain to one of
them (can't remember which one now).

So i'm thinking if we were an open relay we'd be sending emails all
over the place, not just to two people we know. If we were just
sending NDR's then surely they'd all be from postmaster. So why did we
end up sending the other emails?

I did notice when going therough clearing the queues that in the SMTP
section in Exchange that as well as 192.168.0.1 being authorised, so
was 127.0.0.1, and i'd read that this can make the server an open
relay. I have disabled 127.0.0.1 just in case.

Does anyone actually know what went on here?

Many thanks.
Mark

Merv Porter [SBS-MVP]

unread,
Oct 16, 2005, 4:06:14 PM10/16/05
to
Have you applied the following update to your server?

Many unexpected outbound e-mail messages appear in the SMTP queue in Small
Business Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;835734

--
Merv Porter [SBS MVP]
===================================
<mjse...@gmail.com> wrote in message
news:1129478340.7...@o13g2000cwo.googlegroups.com...

mjse...@gmail.com

unread,
Oct 16, 2005, 7:04:39 PM10/16/05
to
I hadn't applied this patch, no. We are using the POP3 connector, so
it could be this. Unfortunately Microsoft don't give much detail
regarding the symptoms - have you seen similar symptoms being solved by
this one before?

I'll apply the patch tomorrow.

Merv Porter [SBS-MVP]

unread,
Oct 16, 2005, 7:19:07 PM10/16/05
to
Yes, I had a similar problem on one server last year and this patch fixed
it.

--
Merv Porter [SBS MVP]
===================================
<mjse...@gmail.com> wrote in message

news:1129503879....@g47g2000cwa.googlegroups.com...

Skip Shean

unread,
Oct 17, 2005, 12:13:36 AM10/17/05
to
I just had a problem that was similar to this...was experiencing something
they called an RNDR attack. For the entire string, see the message called
"Outbound Email Tracking" from 10/12/05, 7:01 pm (central time, might be a
diff. time for you). Here's the part of the string that may be relevant:

F. (Do NOT use these steps unless you are under this kind of attack)
Nowadays spammers have a new means to avoid filters built into many
systems. They take advantage of a mail systems sending of a non-delivery
report (NDR) when a message cannot be delivered as addressed and returns
the original contents. Since this follows the RFC standard, most all mail
servers will function this way. This is what is called a "Reverse NDR
attack" (RNDR). This form of attack is becoming increasingly widespread.
Some users get it so badly that over 33% of their Internet messages are
attributed to this type of spam. The end result is the spammer has attained
a new form of mail relaying. Your server''s resources are being stolen to
deliver spam.

How does a "Reverse NDR" attack work?

Step 1 Spam email is created with the intended spam victim''s address in
the sender field and a random, fictitious recipient, at your domain, in the
To: field.

Step 2 Your mail server cannot deliver the message and sends an NDR email
back to what appears to be the sender of the original message, the spam
victim.

Step 3 The return email carries the non-delivery report and possibly the
original spam message. Thinking it is email they sent, the spam victim
reads the NDR and the included spam.

What are the symptoms of a RNDR attack?

1. Sluggish email delivery

2. Outbound queues full of non-delivery notices

3. Excessive admin time to clear outbound queues

4. Badmail folder''s size grows quickly

If you are experiencing any of the above, chances are good your mail server
is under attack.

To stop the RNDR from happening, follow the following steps:

To Configure Recipient Filtering

When you enable recipient filtering (if you are using SMTP for incoming
emails) on the SMTP virtual server, e-mail messages that are received from
anyone on the recipient filter are not accepted. Recipient filtering is
set globally, but you enable it on a per-Virtual Server basis on each SMTP
virtual server.

To create a recipient filter:

1. Click "Start", point to "Programs", point to "Microsoft Exchange", and
then click "System Manager".

2. Expand "Global Settings", right-click "Message Delivery", and then click
"Properties".

3. Click the "Recipient Filtering" tab, and then click the checkbox at the
bottom (Filter recipients who are not in the directory).

4. Specify any additional filter options that you want to configure,
Select Apply, and then click "OK".

To enable recipient filtering on the SMTP virtual server:

1. Click "Start", point to "Programs", point to "Microsoft Exchange", and
then click "System Manager".

2. Expand "Servers", expand "<ServerName>", and then expand "Protocols".

3. Expand "SMTP", right-click "Default SMTP Virtual Server", and then click
"Properties".

4. Click the "General" tab, and then click "Advanced".

5. In the "Address" list, click the IP address where you want to apply the
recipient filter, and then click "Edit".

6. Click to select the "Apply Recipient Filter" check box, click "OK", and
then click "OK".

Note: Recipient filter rules apply only to anonymous connections.
Authenticated users and Exchange servers bypass these validations.

If you are using POP3 Connector for incoming emails, you can disable
Exchange from sending NDR emails. See:

294757 How to Control Non-Delivery Reports Using Exchange 2000
http://support.microsoft.com/?id=294757

<mjse...@gmail.com> wrote in message
news:1129503879....@g47g2000cwa.googlegroups.com...

Gregg Hill

unread,
Oct 19, 2005, 1:28:29 PM10/19/05
to
You got hit by a reverse NDR attack.

http://support.microsoft.com/default.aspx?scid=kb;en-us;886208

Be sure to do the tarpit also.

Gregg Hill


<mjse...@gmail.com> wrote in message
news:1129478340.7...@o13g2000cwo.googlegroups.com...

Skip Shean

unread,
Oct 19, 2005, 4:50:17 PM10/19/05
to
Gregg,

Can you explain the "tarpit" reference? Wasn't in the article...

Thanks.


"Gregg Hill" <bo...@nowhere.com> wrote in message
news:OMS3GKN1...@TK2MSFTNGP12.phx.gbl...

Gregg Hill

unread,
Oct 19, 2005, 6:00:51 PM10/19/05
to
Click the link at the bottom of Step 2 in the article.

Gregg Hill

"Skip Shean" <skip...@hotmail.com.(donotspam)> wrote in message
news:%237XJ46O...@TK2MSFTNGP09.phx.gbl...

0 new messages