Correction, 25825 - the 10k number was for one of the 2 clustered devices ... and 150493 from DNSBL, 560213 for Manual block (including one that was giving us about 60k/hr until it dropped out)
-----Original Message----- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 1:18 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs That's a respectable number... On Tue, Oct 7, 2008 at 1:02 PM, Don Andrews <[EMAIL PROTECTED]> wrote: > It can't detect distributed - the detection is per IP - 30% invalid > addresses over a 10 minute period is the threshold - generates an > automatic 24 hour block - which is usually sufficient for bots and at > times will convince companies with out of date DLs to update them. Have > had 10495 connections rejected today due to DHA blocks. > > -----Original Message----- > From: Kurt Buff [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2008 12:53 PM > To: MS-Exchange Admin Issues > Subject: Re: Hundreds of NDRs > > Ah. How does it detect those, especially if they're distributed? > > On Tue, Oct 7, 2008 at 12:42 PM, Don Andrews <[EMAIL PROTECTED]> > wrote: >> Sorry, Directory Harvesting Attack >> >> -----Original Message----- >> From: Kurt Buff [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, October 07, 2008 12:35 PM >> To: MS-Exchange Admin Issues >> Subject: Re: Hundreds of NDRs >> >> DHA? >> >> Kurt >> >> On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews <[EMAIL PROTECTED]> >> wrote: >>> Upgrading to a gateway product that does recipient validation a > couple >>> of years ago was a huge benefit - and I'm ever so happy that it also >>> detects and auto-blocks DHA's and a number of other mis-behaviors. >>> >>> >>> >>> -----Original Message----- >>> From: Kurt Buff [mailto:[EMAIL PROTECTED] >>> Sent: Tuesday, October 07, 2008 11:45 AM >>> To: MS-Exchange Admin Issues >>> Subject: Re: Hundreds of NDRs >>> >>> Oh, yeah, the last two that Don mentions are indeed legitimate > sources >>> of NDRs that won't happen during the initial SMTP conversation from >>> the sender to the recipient. However, the first one (where an NDR is >>> generated after receipt for a non-valid recipient) is only legitimate >>> when sending to a DL on a gateway that isn't kept up to date. >>> >>> Kurt >>> >>> On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews > <[EMAIL PROTECTED]> >>> wrote: >>>> I can think of a couple of NDR causes that may not be handled during >>> the >>>> initial SMTP conversation - in gateway environments; >>>> >>>> 1. invalid recipient (if recipient validation is not handled by the >>> gateway) >>>> >>>> 2. over quota (in gateway environment again) >>>> >>>> 3. delivery delay or failure notifications - if gateway can't > connect >>> to >>>> backend mail server for some period. >>>> >>>> >>>> >>>> In each of these cases, the gateway at the receiving end will accept >>> the >>>> message, then it or the backend mail server will generate and send >> the >>> NDR >>>> at a later time. >>>> >>>> ________________________________ >>>> >>>> From: wjh [mailto:[EMAIL PROTECTED] >>>> Sent: Tuesday, October 07, 2008 11:04 AM >>>> To: MS-Exchange Admin Issues >>>> Subject: Re: Hundreds of NDRs >>>> >>>> >>>> >>>> It shouldn't. a legitimate NDR should happen while the sending and >>>> receiving SMTP servers talk to each other. legitimate sending > server >>>> connects to the receiving server and the receiving server accepts > the >>>> message or does not. Either way, it is communicating with the >> sending >>>> server directly...just like if you telnet to your smtp server port > 25 >>> and it >>>> gives you feedback. Backscatter email goes through spam server >>> because it >>>> isn't originating from your smtp server. The only legit bounces may >>> come >>>> for users who might have pop or imap accounts setup not to send >>> through your >>>> smtp server. >>>> >>>> There are probably others on the list that understand the protocols >>> better >>>> than me, so feel free to chime in. >>>> >>>> Bill >>>> >>>> >>>> [EMAIL PROTECTED] wrote: >>>> >>>> If this could be done, wouldn't it also block legitimate NDRs? >>>> >>>> >>>> >>>> -------------- Original message -------------- >>>> From: wjh <[EMAIL PROTECTED]> >>>> >>>>> These types of NDRs drive me crazy. Here is one option if you have > a >>>>> pretty typical setup. Typical setup: incoming mail comes in through >> a >>>>> spam gateway device/server, but outgoing mail leaves through your >>>>> exchange server. All legit NDRs should be communicating directly >> with >>>>> the sending smtp server. If an NDR hits your spam server, then it >>> would >>>>> be backscatter from spam. You could set your spam gateway to block >> or >>>>> quarantine these false NDRs. They do the user no good anyway. >>>>> >>>>> Bill >>>>> >>>>> [EMAIL PROTECTED] wrote: >>>>> > Exchange 2003 SP2. We occaisionaly have users who get a few NDRs >>> over >>>>> > a couple of days from reipients they did not send to because of >>>>> > spammers spoofing t heir e mail address. At 12:15 I have a user >> who >>>>> > began getting hundreds of NDRs obviously as a result of a spammer >>>>> > sedning out a bulk email package. These are coming in so fast the >>> user >>>>> > is having a hard time keeping up with the deleting. Anyway to >>> prevent >>>>> > this crap? >>>>> > Thanks. >>>>> > >>>>> >>>>> >>>>> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ >>>>> ~ http://www.sunbeltsoftware.com/Ninja ~ >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ >>> ~ http://www.sunbeltsoftware.com/Ninja ~ >>> >>> >>> >>> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ >>> ~ http://www.sunbeltsoftware.com/Ninja ~ >>> >> >> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ >> ~ http://www.sunbeltsoftware.com/Ninja ~ >> >> >> >> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ >> ~ http://www.sunbeltsoftware.com/Ninja ~ >> > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > ~ http://www.sunbeltsoftware.com/Ninja ~ > > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > ~ http://www.sunbeltsoftware.com/Ninja ~ > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~