INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS
Come Join Us!
Are you a
Computer / IT professional?
Join Tek-Tips now!
- Talk With Other Members
- Be Notified Of Responses
To Your Posts
- Keyword Search
- One-Click Access To Your
- Automated Signatures
On Your Posts
- Best Of All, It's Free!
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.
Partner With Us!
"Best Of Breed" Forums Add Stickiness To Your Site
(Download This Button Today!)
"...I have been a grateful member of this site for several years. I love this site and refer everyone to it!..."
Where in the world do Tek-Tips members come from?
How do I combat a Reverse NDR attack?
Posted: 6 Apr 04 (Edited 13 Jul 04)
NOTE: This FAQ was put together that you are using Microsoft Exchange 5.5 (Service Pack 4)
What is a reverse NDR attack?
Spammers have a new means to avoid filters built into many systems. They take advantage of a mail systems sending of a non-delivery report (NDR) when a message cannot be delivered as addressed and returns the original contents.
How do I know that my server is suffering from a Reverse NDR attack?
There are several symptoms that you may see within the Microsoft Exchange Server Admin:
- Outbound email is not being delivered (To view your outbound queue go to the properties of your Internet Mail Service connection, then click on the Queues tab and switch to outbound messages awaiting delivery)
- Take note of the originator in the outbound queue, if you see <> under orignator 99% of the time it will be a spam mail that has generated an NDR. If you see hundreds/thounsands of these then you are most likely suffering a RNDR attack on your exchange server
How do I clear the outbound queue?
I will explain how you can clear the outbound queue, but this will by no means resolve your issue as soon as the Internet Mail Service is started you will continue to resolve spam emails that generate NDRs on your system
(1) Stop the Internet Mail Service
(2) Go to the following directory path: (ie c:\exchsrvr\imcdata\out)
(3) Delete all files in this directory (each file is an email to be sent out, if you have users that are trying to send out there emails are in here also. You may need to advise them to resend emails that they just recently tried to send out, since they will most likely be deleted.)
(4) Delete the queue.dat file in the imcdata directory.
(5) Restart the Internet Mail Service
Are there any options within Microsoft Exchange that can combat this issue?
No there aren't any options built into exchange to resolve this issue.
So if there aren't any options in MS exchange to resolve this issue, what can I do to resolve this issue?
Purchase 3rd party spam filtering software, here are a few to select from:
Praetor Software - www.cmsconnect.com
GFI Mail Essentials 9.0 - www.gfi.com
Xwall - www.dataenter.at
These are just a few of the software programs people have used to resolve the RNDR spam attack issue. If you know of others that work, please feel free to let me know and I will add them.
I hope this helps people out as I did have to work through this issue myself several months ago. It's a problem that can be resolved, just not with MS Exchange 5.5 itself.
Thanks to zbnet for sending me the information. It looks like Microsoft actually may be listening as they seem to have resolved the issue concerning the RNDR issue.
It's KB837794 (http://support.microsoft.com/?kbid=837794) you will need to contact Microsoft Support to obtain the fix. There is no charge for contacting Microsoft over the phone.
Back to Microsoft: Exchange 5.5 FAQ Index
Back to Microsoft: Exchange 5.5 Forum
Join Tek-Tips® Today!
Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.
Here's Why Members Love Tek-Tips Forums:
- Talk To Other Members
- Notification Of Responses To Questions
- Favorite Forums One Click Access
- Keyword Search Of All Posts, And More...
Register now while it's still free!
Already a member? Close this window and log in.
Join Us Close