can't stop receipt and NDRs for bogus e-mail addresses

[dgudde]

I read the FAQ on relaying here and plenty of other places as well. In several places, including here, I've read this:

"The trick is that you can select the Hosts and clients with these IP addresses check box but not specify any IP addresses. Unless you have a specific need to have your Exchange server relay, don't enter any IP addresses on this page. This selection changes the rules that the IMS uses when evaluating the SMTP protocol. Instead of letting the IMS accept the RCPT TO specification blindly, this selection causes the IMS to check for local delivery before letting it upload a message. If the recipient isn't local, the IMS will return 550 Relaying prohibited."

I wish my exchange server was working this way. I believe that it is configured as stated but my exchange server, rather than returning 550, accepts the bogus/non-local recipient message and then returns an NDR.

With thousands of messages pouring in to our domain with bogus recipient names plus the NDRs, our e-mail performance is taking a big hit. We just have one exchange 5.5 server (service pack 4) on Windows NT 4.0. Any ideas?

 

[ashleym]

If you read the FAQ on relaying, you will notice when you go into the properties of the IMC and to routing, I believe, there is a tab that mentions 'only users who authenticate' You must check this to turn on relaying, then your server should be secure from relaying. You will still get NDR's but you will not wind up on an ORBS list for relaying.

AM

 

[JohnB66]

We are in the same position as dguddle. We have followed all of the recommendations in the FAQ and various other threads i.e. &quot;only user who authenticate&quot; - hosts and clients with no ip addresses in the field etc and yet as soon as we restart IMC we are flooded with 10's of thousands of relay messages from <>. The Exchange server has been unusable now for 3 days! Any other suggestions please.

 

[dgudde]

ashleym - Thank you for your reply. Our exchange server is not an open relay and we are not on an ORBS list for relaying. The FAQ says that there is a way to stop the NDRs, that's what I'm trying to do, but it is not working as stated.

JohnB66 - we are able to use our exchange server. I was able to stop most of the traffic by stopping traffic from open relays at the firewall. I don't know of a way to filter traffic through an open relay database, so I find the open relay IP addresses of the traffic coming to our exchange server in the log files and block them one by one in the firewall. If this is an option for you, you can open the log files in \exchsrvr\logs\mdbdata\edb?????.log with Word, WordPad or Notepad and search for &quot;open relay&quot;

Some of the traffic may have passed through systems that check against open relay databases and the above search may give you the IP addresses of the open relays that are passing the traffic. I had to block about 30 IPs in the firewall but our performance is back up to almost 100% now.

My main problem is that even with logging set to minimum, I have to constantly delete the log files to keep the disk from filling up at which point the IMS shuts down. That's why I was hoping to get the server to do what the FAQ says it can and not even accept SMTP connections if the recipient e-mail address is not valid. For some reason, you can make up any old name and our exchange server will accept the connection, receive the data, log the transaction and then send a non-delivery report (NDR) to the sender which is often a forged address so that we get another NDR in response to our NDR. Triple traffic that should be avoidable if I can ever get the server to stop accepting SMTP connections when the recipient address is bogus.

 

[N0ktar]

I don't have the option 'only users who authenticate' checked. I deny relay to everyone, authenticated or not.
Of course that disables remote POP3 access, but we don't have a use for it so it's OK.