Spammed NDR

[NATCAT]

Hi All,
Currently I am recieving a alot of NDR messages for messages not sent from my exchange server. The spammers are putting email addresses from my domain in the "from" feild so that when an email is sent to a user who doesn't exist we get the NDR report NOT the spammer.
Does anyone have an idea how to stop exchange from sending users NDR for messages they didn't send ?

 

[zbnet]

You are the victim of a Reverse NDR attack that is being executed against another server somewhere on the internet.

If you think about it, you don't really want to block legitimate NDRs (ones that happen when your users send out mail that cannot be delivered - these are useful for your users to have). Unfortunately there is no immediate way to differentiate between a legitimate and a spoofed NDR sent back to your domain.

http://support.microsoft.com/default.aspx?kbid=823866

may start to help.

 

[NATCAT]

No I'd rather not block all NDR's but the users are kicking up a fuss about seeing so much NDRs sent to them for email they never sent out.
Is there perhaps a way to route all NDRs to a postmaster account to allow ONE person to receive all the NDRs and determine if they should be sent to the suer or not ?

 

[grubs4fishn]

We block all NDRs at the gateway inbound from an offsite mail server. If one of your internal users send to a non existing recipient, Exchange will generate a NDR and drop it in the users inbox without going through your SMTP gateway. This NDR is entirely different from ones generated by offsite spoofers using an open relay mail server. It has no Internet header to look at. There are lots of moving parts here, but try blocking them with a filter. Else, get a new anti SPAM vendor. Most of the big boys are blocking this type of gargage. Also, setting up SPF records may help some.