Server sending out NDRs for non existent users

[mikestl]

Our server has been flooding our internet connection by sending out tons of NDRs. Spammers are sending e-mails to non-existent users at our company, random names like a dictionary attack. They forge their return address. Our server then goes sending out tons of NDRs to those forged return addresses, no doubt spamming legitimate users with NDRs. Our queues are filling up with thousands of NDRs it is trying to send out. I saw something about on exchange 5.5 how to just make it respond with a 550 error and terminate the connection when someone trys to send a message to a non existent user. However it talks about modifying settings in "internet message service". There is no such thing in excahnge 2000. How do I do this in exchange 2000? I tried disabling NDRs in the past but I think our server was just pretending to accept all mail at that point rather than giving a 550. Not good. Right now we have the smtp default virtual server set up to handle mail. Do I need to set something up with connectors? By the way I know I have open relaying secure and it is only accepting e-mails for our domain. Problem is it is accepting all e-mails for our domain even if the users don't exist. I am really at my wits end with this, if anyone can offer any assistance it would be much appreciated. Thanks

 

[xmsre]

http://support.microsoft.com/kb/909005/en-us

 

[mikestl]

Thanks for the link. It looks like it offers a real solution to Exchange 2003 users, but for Exchange 2000 users it just offers a reactive approach of cleaning out the mess every time it happens (which as of late we are getting hit hard several times a week). Would seem Microsoft should offer free upgrades to Exchange 2003, since Exchange 2000 has an obvious Denial of service vulnerability via NDRs. either that or they should issue a patch. I suppose they don't consider this a flaw. I'm sure grumbling to them about it would acomplish nothing. Looks like it's time to be purchasing an upgrade.

 

[xmsre]

It's tempting to blame Microsoft, however the problem is with the SMTP protocol standard and the governing body is the Internet Standards Consortiumn not the Exchange product. All SMTP severs that conform to the standard; Lotus, iplanet, and even Sendmail will happily plug along sending NDRs to a spoofed address, albeit not as efficiently as Exchange. To Microsoft's credit, they have been a leader in adoption of new technologies like "tar pitting" to combat spam issues.

You might try disabling NDRs for a while.

http://support.microsoft.com/kb/294757/en-us

 

[mikestl]

Thanks Again. I suppose it is a bit misdirected to place all blame on Microsoft. The high cost of keeping up to date just enough to keep from being attacked does get irriating though. I am trying out trial of a program called Open Relay Filter now that so far has completely solved the problem by rejecting all e-mail to users that don't exist at our domain. I'm keeping my fingers crossed.