NOTE: This FAQ was put together that you are using Microsoft Exchange 5.5 (Service Pack 4)
What is a reverse NDR attack?
Spammers have a new means to avoid filters built into many systems. They take advantage of a mail systems sending of a non-delivery report (NDR) when a message cannot be delivered as addressed and returns the original contents.
How do I know that my server is suffering from a Reverse NDR attack?
There are several symptoms that you may see within the Microsoft Exchange Server Admin:
- Outbound email is not being delivered (To view your outbound queue go to the properties of your Internet Mail Service connection, then click on the Queues tab and switch to outbound messages awaiting delivery)
- Take note of the originator in the outbound queue, if you see <> under orignator 99% of the time it will be a spam mail that has generated an NDR. If you see hundreds/thounsands of these then you are most likely suffering a RNDR attack on your exchange server
How do I clear the outbound queue?
I will explain how you can clear the outbound queue, but this will by no means resolve your issue as soon as the Internet Mail Service is started you will continue to resolve spam emails that generate NDRs on your system
(1) Stop the Internet Mail Service (2) Go to the following directory path: (ie c:\exchsrvr\imcdata\out) (3) Delete all files in this directory (each file is an email to be sent out, if you have users that are trying to send out there emails are in here also. You may need to advise them to resend emails that they just recently tried to send out, since they will most likely be deleted.) (4) Delete the queue.dat file in the imcdata directory. (5) Restart the Internet Mail Service
Are there any options within Microsoft Exchange that can combat this issue?
No there aren't any options built into exchange to resolve this issue.
So if there aren't any options in MS exchange to resolve this issue, what can I do to resolve this issue?
Purchase 3rd party spam filtering software, here are a few to select from: