How do I combat a Reverse NDR attack?

NOTE: This FAQ was put together that you are using Microsoft Exchange 5.5 (Service Pack 4)

What is a reverse NDR attack?

Spammers have a new means to avoid filters built into many systems. They take advantage of a mail systems sending of a non-delivery report (NDR) when a message cannot be delivered as addressed and returns the original contents.

How do I know that my server is suffering from a Reverse NDR attack?

There are several symptoms that you may see within the Microsoft Exchange Server Admin:

- Outbound email is not being delivered (To view your outbound queue go to the properties of your Internet Mail Service connection, then click on the Queues tab and switch to outbound messages awaiting delivery)

- Take note of the originator in the outbound queue, if you see <> under orignator 99% of the time it will be a spam mail that has generated an NDR. If you see hundreds/thounsands of these then you are most likely suffering a RNDR attack on your exchange server

How do I clear the outbound queue?

I will explain how you can clear the outbound queue, but this will by no means resolve your issue as soon as the Internet Mail Service is started you will continue to resolve spam emails that generate NDRs on your system

(1) Stop the Internet Mail Service
(2) Go to the following directory path: (ie c:\exchsrvr\imcdata\out)
(3) Delete all files in this directory (each file is an email to be sent out, if you have users that are trying to send out there emails are in here also. You may need to advise them to resend emails that they just recently tried to send out, since they will most likely be deleted.)
(4) Delete the queue.dat file in the imcdata directory.
(5) Restart the Internet Mail Service

Are there any options within Microsoft Exchange that can combat this issue?

No there aren't any options built into exchange to resolve this issue.

So if there aren't any options in MS exchange to resolve this issue, what can I do to resolve this issue?

Purchase 3rd party spam filtering software, here are a few to select from:

Praetor Software - www.cmsconnect.com
GFI Mail Essentials 9.0 - www.gfi.com
Xwall - www.dataenter.at

These are just a few of the software programs people have used to resolve the RNDR spam attack issue. If you know of others that work, please feel free to let me know and I will add them.

I hope this helps people out as I did have to work through this issue myself several months ago. It's a problem that can be resolved, just not with MS Exchange 5.5 itself.

Update: 07/13/2004

Thanks to zbnet for sending me the information. It looks like Microsoft actually may be listening as they seem to have resolved the issue concerning the RNDR issue.

It's KB837794 (http://support.microsoft.com/?kbid=837794) you will need to contact Microsoft Support to obtain the fix. There is no charge for contacting Microsoft over the phone.