Need to figure a way to stop this email from coming in

[xmario2013]

Hi All:

as all of you should know, the MYDOOM is killing the email servers (many of them runs Exchange) out there, our server being one of them, not completed in the sense of this malicious virus but the unecessary loads increased

We have 3 lays of norton anti virus (the gateway, for the exchange and for the desktop) in our exchange, although all the attachment is striped before it gets to the users, some of them still come through (without the attachment)

there are a number of email come in by all the crazy alias like

crazy@mydomain.com
mark@mydomain.com
john@mydomain.com
jack@mydomain.com
joe@mydomain.com
mary@mydomain.com

etc.

anything with mydomin.com is coming in, but the alias just not even close,

is there a way for exchange server to be able to filter by these incoming address ? and also is there a way tell Exchange not to send NDR replys ???

Thanks
M

 

[freaktechnique]

In the IMS under connections| message filtering you can filter by domain or user. You should be able to enter the @domain.com and restrict any emails coming that domain from delivery without sending a NDR.

I haven't used this so don't know any sublteties to this util but it is provided.

 

[rdroske]

But that is his domain, can't filter that out.

The "from" domain on these messages will be all over the map and will be perfectly legitimate domains....

Don't think you can do it.

 

[N0ktar]

I would suggest installing a perimiter filtering software such as XWall, which is what we're using. It filters out all such emails before they ever get to our mail server. Firewalling your email server with proxy also helps in protecting it from relay and abuse.

 

[rdroske]

How would XWall filter out emails that were sent to your domain but to invalid recipients?

Seems like it would have to check with your server anyways so you are not really decreasing the load.

Or can you tell it what are valid recips?

I guess it could stop the NDR's though?

 

[N0ktar]

I have imported the Address List from the Exchange server and XWall checks all incoming email against that list. If alias not listed it returns "error 551 user does not exist" to the sender server and breaks the connection.

 

[rdroske]

Cool, mine can't do that. Hardware Intrusion detection/spam filter etc called Xdefenders.

Unfortunately we partner with that company so I have to use it.

Course thats one more step required to add a new user also.

 

[N0ktar]

True, but the way I see it's worth that extra step lol

 

[xmario2013]

we are using Symantec anti virus for gateway, its not going to exactly stop the spam but it gets some functionality to stop certain emails by subject, any other suggestion beside the xwall ?

thanks

 

[ltop]

I have exch5.5 on a w2k box and was also getting all the crazy e-mails that xmario2004 was getting, plus plenty more dubious ones, so I was able to filter them at the gateway so they were dropped before getting to the exch server, therefore removing any load on exch as well

We use sophos mailmonitor for smtp, and it has certainly worked great in this instance.

regards

 

[cmeagan656]

rdroske,

"I guess it could stop the NDR's though?"

Not only can you configure it to just drop emails for invalid recipients, you can configure it to strip the delivery receipt and read receipt flags for all emails, which is something Exchange 5.5 can't do.

You can also configure it to block specific attachments. For example, we need to allow .zip files through because that is how many of our clients send us their accounting data. For added protection against the virus de jour I go to Symantec's avcenter, get the info on what attachments are coming with the virus and block those specific attachments (i.e. document.zip, text.zip, among others, for Mydoom.A).

Cheers.

 

[CaptainStorm]

I have imported the Address List from the Exchange server and XWall checks all incoming email against that list. If alias not listed it returns "error 551 user does not exist" to the sender server and breaks the connection.

>>>>>>>>>

In that situation above does that stop e-mails from coming in that are sent to "undisclosed recipients". I guess not since somewhere in the incoming e-mail it will have to have one of our e-mail addresses in it.

I have a watchguard firewall and I could copy all the exchange alias to the smtp incoming filter and to clarify this will stop invalid box e-mails from ever getting to exchange. Is this worth doing - IE is there that much stuff that it would be stopping? Has anybody else quantified how much junk hits your server with the right domain name and wrong user name?

Storm
It Director
XConcepts

 

[cmeagan656]

A lot of junk hits your server with the right domain name and wrong user name. Spammers use that method to launch reverse NDR attacks.

I just checked my graphing and at 7:30 AM we were blocking an average of 423 messages per hour which were either being sent to the right domain with the wrong user name for from an IP address listed with SBL or Spamhaus. We have both types set to be blocked at the SMTP level so they never hit Exchange.

Cheers.

 

[N0ktar]

Has anybody else quantified how much junk hits your server with the right domain name and wrong user name?
****************
I collect statistical data on email usage in the firm, per account and in general. The data shows the ammount of "bad destination" emails equals 25-30% of all inbound email traffic. In my opinion it is a lot and mailbox filtering defenitely pays off.

 

[CaptainStorm]

cmeagan656

Not only can you configure it to just drop emails for invalid recipients, you can configure it to strip the delivery receipt and read receipt flags for all emails, which is something Exchange 5.5 can't do.

>> I would like to set up Xwall to do this invalid recipient blocking. What do I need to do to turn it on? Is it on by default?

Storm

 

[remain]

we have a hardware firewall that we configure to drop attachments that look like the attachments that the virus usually uses (according to the symantec website). In addition it drops any and all executables and .scr files. We are trying to get users groomed off of zip files (have them transfer files using ftp or some other protocol other than email) so the we can block out zip files also. This kills 90% of the attachments before they get to the server and just leaves the messages to sort through (which take up far less space and internal bandwidth than messages with attachments)

 

[cmeagan656]

CaptainStorm,

Options ->system. Flags tab. Check both boxes under Incoming Mail.

Cheers.

 

[xmsre]

A product like

http://www.luninfo.com/mailcatcher.asp

would do what you want. Basicly, you can black hole all the emails with unresolved recipients. No NDR is generated.

 

[CaptainStorm]

>> I would like to set up Xwall to do this invalid recipient blocking. What do I need to do to turn it on? Is it on by default?

Still not clear on how to make it work

Storm

 

[N0ktar]

Open your xwall admin program, options, spam, verify. Check "verify if receipient ...", click Address List and populate the list with valid email addresses hosted on Exchange (if you add new users in the future you must also add them to this list or else they will not be able to receive outside mail).
Click Ok, OK and that's it.