Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
IMS Queues filling up... 10
- Thread starter DColcl
- Start date
-
1
- #2
OY! This topic has been hashed to death. Do a search about the myseterious <> and you will find many answers.
The <> is a RNDR attack, the spammer does a reverse lookup on your server to try and do spamming..its more of an annoyance than anything. Exchange 5.5 cannot stop against RNDR attcks.
The <> is a RNDR attack, the spammer does a reverse lookup on your server to try and do spamming..its more of an annoyance than anything. Exchange 5.5 cannot stop against RNDR attcks.
- Thread starter
- #3
-
1
- #6
We had the reverse NDR issue as well, about 2 1/2 months ago. We stopped it by using a third party utility called Praetor. You can find it here . You can download a free full 21 day version.
We installed it on the exchange 5.5 box. It stop the reverse NDRs in their tracks.
We installed it on the exchange 5.5 box. It stop the reverse NDRs in their tracks.
-
2
- #7
MS just recently issued a hotfix for Exchange 5.5 that now allows control over the generation of NDRs - should really help in stopping the reverse NDR spam attacks.
I guess it's bad news for the 3rd-party vendors that were making a killing with this issue, though.
I guess it's bad news for the 3rd-party vendors that were making a killing with this issue, though.
-
1
- #8
madisonjoy
Technical User
MS Exchange NDR hotfix
Where is this link and download? Went to the url and it said to call Microsoft. Is there not a direct link to this fix?
jim
Where is this link and download? Went to the url and it said to call Microsoft. Is there not a direct link to this fix?
jim
-
1
- #9
-
1
- #11
-
1
- #15
I installed this Hotfix yesterday and it is working fine. We were generating 7000 - 9000 queued NDR's per day and today we are down to 1 and this looks genuine.
I have experimented with the SuppressNDROptions and found setting the Dword value to 1 works well for us since the NDR's get generated, but not delivered by the IMS. This means that all our exchange users get NDR's for anything originated by them and found to be undeliverable, but nothing gets sent to the internet when mail arrives for unknown addresses.
The 10 value gives no NDR's at all, so exchange users do not get any notification of undeliverable mail.
One point I also noticed when changing the Dword value, it appeared to be necessary to restart the IMS for the change to show through although Microsoft don't mention this.
I have experimented with the SuppressNDROptions and found setting the Dword value to 1 works well for us since the NDR's get generated, but not delivered by the IMS. This means that all our exchange users get NDR's for anything originated by them and found to be undeliverable, but nothing gets sent to the internet when mail arrives for unknown addresses.
The 10 value gives no NDR's at all, so exchange users do not get any notification of undeliverable mail.
One point I also noticed when changing the Dword value, it appeared to be necessary to restart the IMS for the change to show through although Microsoft don't mention this.
-
1
- #18
syslogreader
MIS
Hey!
Called up MS on Sunday just after 12:01 PM Est,
Got the file emailed,
Extracted and installed,
Put in the registry value nad set it to 10,
Restarted IMS,
ONE QUESTION:
What will the 100 Value do,
Will it suppress the original issues, as well as preventing read,delivered and opened reciepts from my users?
Dont want to set to 100 if i am going to get the same issue as NDR's Originating from <> again,
BTW- Thanks for all the posts very imformative and hats off to Dyadmin (IS/IT--Manageme), and zbnet (MIS),
Nice work boys, and all of you that posted additional questions,
Called up MS on Sunday just after 12:01 PM Est,
Got the file emailed,
Extracted and installed,
Put in the registry value nad set it to 10,
Restarted IMS,
ONE QUESTION:
What will the 100 Value do,
Will it suppress the original issues, as well as preventing read,delivered and opened reciepts from my users?
Dont want to set to 100 if i am going to get the same issue as NDR's Originating from <> again,
BTW- Thanks for all the posts very imformative and hats off to Dyadmin (IS/IT--Manageme), and zbnet (MIS),
Nice work boys, and all of you that posted additional questions,
syslogreader
The value of 100 is the most extreme form of lockdown for all the system-generated messages. It differs from the value of 10 becaue not every system-generated message is an NDR - some of them are Read Recipits and some are Delivery Reports. A value of 10 will suppress the generation of NDRs but still generate RR & DRs; a value of 100 will stop all NDRs, RRs and DRs.
I would have thought a value of 10 is sufficient for most people at the moment - ReverseRR and ReverseDR attacks haven't got the same appeal to a hacker as a ReverseNDR attck, as (unlike the NDR) a DR and RR don't normally return the content of the message with them, so are useless to someone trying to send spam (although this doesn't prevent them from being used for a denial of service attack).
The value of 100 is the most extreme form of lockdown for all the system-generated messages. It differs from the value of 10 becaue not every system-generated message is an NDR - some of them are Read Recipits and some are Delivery Reports. A value of 10 will suppress the generation of NDRs but still generate RR & DRs; a value of 100 will stop all NDRs, RRs and DRs.
I would have thought a value of 10 is sufficient for most people at the moment - ReverseRR and ReverseDR attacks haven't got the same appeal to a hacker as a ReverseNDR attck, as (unlike the NDR) a DR and RR don't normally return the content of the message with them, so are useless to someone trying to send spam (although this doesn't prevent them from being used for a denial of service attack).
-
1
- #20
- Status
Similar threads
- Locked
- Question