Exchange 5.5 Spam/Relay/NDR issues 3

[MelvinSE]

I was hoping to get some feedback on a critical problem I've been having for the last couple of weeks. I'm running NT 4.0 and Exchange 5.5. A couple of weeks ago users began complaining about long delivery times on outbound emails. When I checked the server, the outbound queue was filled with tons of NDRs resulting from spam messages. After some testing, I figured it was an open relay and the spam was been relayed through the system and not created internally from a trojan or virus (a few different scans seemed to verify this). After installing some of the latest service packs for Exchange and performing other tasks (some of which I read here - thanks!) I still couldn't get the NDRs to stop clogging the outbound queue. Here's a run down of everything I've done so far:

Disabled the Guest account
Deleted any unused accounts and disabled and accounts that are not in use.
Changed all passwords to difficult ones
Changed the Exchange Service Account - used a difficult password.
REINSTALLED EXCHANGE SERVER 5.5
Installed ALL the service packs for Exchange 5.5
Re-closed the relay (IMS Properties - Routing - Routing Restrictions - checked "Hosts and Clients With These IP Addresses" and did not enter any addresses)

The NDRs are still being created. Sometimes it slows down, sometimes it's thousands per hour. For a day, I thought it was fixed, but over the weekend, there were 20,000 NDRs in the outbound queue by Monday morning. The logs seem to point to a bunch of inbound SMTP connections being accepted from various hosts whenever the IMS service is started. Where and how can I stop these IPs from connecting? There's dozens, maybe hundreds of connections being received and stopping those IP addresses at the firewall could take weeks. If I only allow SMTP connections to/from my ISPs IP addresses, would that work, since the mail is directed through their DNS servers? I'm at a complete loss for ideas. I'm not the most experienced tech when it comes to this stuff, but I'm the only one at my office with enough experience to work on it. Thanks for any help!

 

[fjwben]

Go to Thread 10-655444 Other people have been having this problen since September. I finally found this thread right before Thanksgiving.

 

[Mottster1]

Well, after spending the better part of two weeks on this issue. Here's what I found out:

(1) This is referred to as a NDR Reverse Spam Attack
(2) There are no settings within 5.5 that will stop this attack.
(3) In talking with Microsoft, they recommended a 3rd party spam filtering software
(4) There only a few companies that have software that specifically have the ability to block this type of attack.

The software that I have currently installed on the exchange server in question is Praetor (

http://www.cmsconnect.com).

They have a 21-day full version trial available for download. You can install this onto the same system that you are running exchange off of. Most others required to be installed on a seperate system.

Once installed you will be still hammered by whoever is sending the email inbound to you. Just that the mail will not make it to your exchange server. You will need to add all address that you want to allow email to come in to.

So that should hopefully help you get on your way.

Sean

 

[MelvinSE]

Thanks guys, but unfortunately I've already read the previous threads (I've never had a "bluestell" originator problem, just blank NDRs). Mottster, your reply makes the most sense (that's it's unfixable without third party software), so I'm looking more into Praetor - which I also found recently but have yet to try.

Any other help is still appreciated!

 

[Zugdud]

MelvinSE (MIS) I am having the exact same problem and have tried EVERYTHING you mentioned atleast twice, going to work on installing a mail filter now as it appears im SOL otherwise. Any updates on this subject please post! thanks

 

[zbnet]

What Notifications options do you have selected in the IMS? (Internet Mail tab, Notifications button)

 

[MelvinSE]

Re: What Notifications do you have selected?

I have all the notifications turned off.

 

[Mottster1]

Even after turning off all the notifications it will not resolve the NDR attack. You must install a SPAM filtering software to resolve the issue.

 

[rhgba]

I am running Exchange 5.5 on Nt4 sp6 and have had the same problem. Whenever a mail was received for an address on my domain that did not exist, the server seemed to use the from from address as the new destination and forwarded the mail on. I had the guest account disabled and relaying enabled but restricted to authenticated users and the hosts with these IP addresses box ticked.

I have followed Mottster1's suggestion and installed a spam filter that will only pass mail with a valid address on my domain. This seems to have resolved the problem.

 

[dennisbbb]

What spam software helps you do that - only pass on valid addresses on your domain? I think this is the only good way to go.

The 2nd best way to go is configure Exchange to take in ALL email going to non-existing users and have it auto-delete within a time interval. I see no way to configure that though.


As for the Praetor program, I'm wondering why you would need it if all it does is filter out domains you disallowed. Exchange 5.5sp6 can already do that. Check IMS Connections "Specify by Host" tab.

 

[Dyadmin]

Melvin,

Do you have logging turned on? Do you message filter with exchange 55? I started blocking based on the IP or domain name. All relays are closed. I went from 50000 of those <> to just 5. If you message filter, make sure you don't have a turf directory for deleted emails, just have the message filter delete the email. You have to turn on SMTP filtering and Message Archival to Max. Just remember to dump the message archival every once in a while.

To see what I'm talking about, in exchange administrator, click on connections, IMS Connector, click on the connections tab and click on message filter. From there put in the offending IP's and domains such as:
@10.23.124.66
@stupidspammer.com

The @ sign makes the message filter ignore messages from that particular domain. I'm sure if you have 20000 or so <> messages in your outbound queue, you are going to have doubles and triples.

**if I made any incorrect assumptions please correct me**

 

[Mottster1]

The best software that I've seen address this specific issue is Praetor software (

http://www.cmsconnect.com).

I have been using there software on a trial basis and it does resolve this issue.

 

[JimNelson]

Hi all.
I had the same problem and I resolved it by following Thread 10-655444.
However...I need to allow 3 machines on my net to relay (we use a dbase application that sends email directly from it).
Each time we designate these 3 machines to allow to relay our server is open to a relay. Does anyone have an idea of how to allow to relkay only from these machins but not open our server ot relaying

Sorry I am not a techie so i can provide more details when asked

thanks
jim

 

[BlueManOp]

You could also try using the GFI Mail Essentials 9.0 for your SPAM problems. If you are running Exchange 5.5 SMTP, you will have to set that SMTP server to run as a smart host. Build a seperate Windows 2000/2003 server for a new front end filter, install Windows SMTP mail (comes with o/s), and install the SPAM program. It will filter all messages before they arrive to your Exchange 5.5 SMTP smart host at that point. Pretty easy to setup and comes with a good enough manual to get you running in no time.