Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Non-Delivery Reports

How do I combat a Reverse NDR attack? by Mottster1
Posted: 6 Apr 04 (Edited 13 Jul 04)

NOTE: This FAQ was put together that you are using Microsoft Exchange 5.5 (Service Pack 4)

What is a reverse NDR attack?

Spammers have a new means to avoid filters built into many systems.  They take advantage of a mail systems sending of a non-delivery report (NDR) when a message cannot be delivered as addressed and returns the original contents.  

How do I know that my server is suffering from a Reverse NDR attack?

There are several symptoms that you may see within the Microsoft Exchange Server Admin:

- Outbound email is not being delivered (To view your outbound queue go to the properties of your Internet Mail Service connection, then click on the Queues tab and switch to outbound messages awaiting delivery)

- Take note of the originator in the outbound queue, if you see <> under orignator 99% of the time it will be a spam mail that has generated an NDR.  If you see hundreds/thounsands of these then you are most likely suffering a RNDR attack on your exchange server

How do I clear the outbound queue?

I will explain how you can clear the outbound queue, but this will by no means resolve your issue as soon as the Internet Mail Service is started you will continue to resolve spam emails that generate NDRs on your system

(1) Stop the Internet Mail Service
(2) Go to the following directory path: (ie c:\exchsrvr\imcdata\out)
(3) Delete all files in this directory (each file is an email to be sent out, if you have users that are trying to send out there emails are in here also.  You may need to advise them to resend emails that they just recently tried to send out, since they will most likely be deleted.)
(4) Delete the queue.dat file in the imcdata directory.
(5) Restart the Internet Mail Service

Are there any options within Microsoft Exchange that can combat this issue?

No there aren't any options built into exchange to resolve this issue.

So if there aren't any options in MS exchange to resolve this issue, what can I do to resolve this issue?

Purchase 3rd party spam filtering software, here are a few to select from:

Praetor Software - www.cmsconnect.com
GFI Mail Essentials 9.0 - www.gfi.com
Xwall - www.dataenter.at

These are just a few of the software programs people have used to resolve the RNDR spam attack issue.  If you know of others that work, please feel free to let me know and I will add them.

I hope this helps people out as I did have to work through this issue myself several months ago.  It's a problem that can be resolved, just not with MS Exchange 5.5 itself.

Update: 07/13/2004

Thanks to zbnet for sending me the information.  It looks like Microsoft actually may be listening as they seem to have resolved the issue concerning the RNDR issue.

It's KB837794 (http://support.microsoft.com/?kbid=837794) you will need to contact Microsoft Support to obtain the fix.  There is no charge for contacting Microsoft over the phone.

Back to Microsoft: Exchange FAQ Index
Back to Microsoft: Exchange Forum

My Archive

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close