Can you see this:
this is DHS attacks the past week. not shabby:
10/7/2008 240188
10/6/2008 293475
10/5/2008 317575
10/4/2008 344490
10/3/2008 259610
10/2/2008 284496
10/1/2008 272972
9/30/2008 359911
Don Andrews wrote:
> Correction, 25825 - the 10k number was for one of the 2 clustered
> devices ... and 150493 from DNSBL, 560213 for Manual block (including
> one that was giving us about 60k/hr until it dropped out)
>
> -----Original Message-----
> From: Kurt Buff [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 07, 2008 1:18 PM
> To: MS-Exchange Admin Issues
> Subject: Re: Hundreds of NDRs
>
> That's a respectable number...
>
> On Tue, Oct 7, 2008 at 1:02 PM, Don Andrews <[EMAIL PROTECTED]>
> wrote:
>
>> It can't detect distributed - the detection is per IP - 30% invalid
>> addresses over a 10 minute period is the threshold - generates an
>> automatic 24 hour block - which is usually sufficient for bots and at
>> times will convince companies with out of date DLs to update them.
>>
> Have
>
>> had 10495 connections rejected today due to DHA blocks.
>>
>> -----Original Message-----
>> From: Kurt Buff [mailto:[EMAIL PROTECTED]
>> Sent: Tuesday, October 07, 2008 12:53 PM
>> To: MS-Exchange Admin Issues
>> Subject: Re: Hundreds of NDRs
>>
>> Ah. How does it detect those, especially if they're distributed?
>>
>> On Tue, Oct 7, 2008 at 12:42 PM, Don Andrews <[EMAIL PROTECTED]>
>> wrote:
>>
>>> Sorry, Directory Harvesting Attack
>>>
>>> -----Original Message-----
>>> From: Kurt Buff [mailto:[EMAIL PROTECTED]
>>> Sent: Tuesday, October 07, 2008 12:35 PM
>>> To: MS-Exchange Admin Issues
>>> Subject: Re: Hundreds of NDRs
>>>
>>> DHA?
>>>
>>> Kurt
>>>
>>> On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews
>>>
> <[EMAIL PROTECTED]>
>
>>> wrote:
>>>
>>>> Upgrading to a gateway product that does recipient validation a
>>>>
>> couple
>>
>>>> of years ago was a huge benefit - and I'm ever so happy that it also
>>>> detects and auto-blocks DHA's and a number of other mis-behaviors.
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Kurt Buff [mailto:[EMAIL PROTECTED]
>>>> Sent: Tuesday, October 07, 2008 11:45 AM
>>>> To: MS-Exchange Admin Issues
>>>> Subject: Re: Hundreds of NDRs
>>>>
>>>> Oh, yeah, the last two that Don mentions are indeed legitimate
>>>>
>> sources
>>
>>>> of NDRs that won't happen during the initial SMTP conversation from
>>>> the sender to the recipient. However, the first one (where an NDR is
>>>> generated after receipt for a non-valid recipient) is only
>>>>
> legitimate
>
>>>> when sending to a DL on a gateway that isn't kept up to date.
>>>>
>>>> Kurt
>>>>
>>>> On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews
>>>>
>> <[EMAIL PROTECTED]>
>>
>>>> wrote:
>>>>
>>>>> I can think of a couple of NDR causes that may not be handled
>>>>>
> during
>
>>>> the
>>>>
>>>>> initial SMTP conversation - in gateway environments;
>>>>>
>>>>> 1. invalid recipient (if recipient validation is not handled by the
>>>>>
>>>> gateway)
>>>>
>>>>> 2. over quota (in gateway environment again)
>>>>>
>>>>> 3. delivery delay or failure notifications - if gateway can't
>>>>>
>> connect
>>
>>>> to
>>>>
>>>>> backend mail server for some period.
>>>>>
>>>>>
>>>>>
>>>>> In each of these cases, the gateway at the receiving end will
>>>>>
> accept
>
>>>> the
>>>>
>>>>> message, then it or the backend mail server will generate and send
>>>>>
>>> the
>>>
>>>> NDR
>>>>
>>>>> at a later time.
>>>>>
>>>>> ________________________________
>>>>>
>>>>> From: wjh [mailto:[EMAIL PROTECTED]
>>>>> Sent: Tuesday, October 07, 2008 11:04 AM
>>>>> To: MS-Exchange Admin Issues
>>>>> Subject: Re: Hundreds of NDRs
>>>>>
>>>>>
>>>>>
>>>>> It shouldn't. a legitimate NDR should happen while the sending and
>>>>> receiving SMTP servers talk to each other. legitimate sending
>>>>>
>> server
>>
>>>>> connects to the receiving server and the receiving server accepts
>>>>>
>> the
>>
>>>>> message or does not. Either way, it is communicating with the
>>>>>
>>> sending
>>>
>>>>> server directly...just like if you telnet to your smtp server port
>>>>>
>> 25
>>
>>>> and it
>>>>
>>>>> gives you feedback. Backscatter email goes through spam server
>>>>>
>>>> because it
>>>>
>>>>> isn't originating from your smtp server. The only legit bounces
>>>>>
> may
>
>>>> come
>>>>
>>>>> for users who might have pop or imap accounts setup not to send
>>>>>
>>>> through your
>>>>
>>>>> smtp server.
>>>>>
>>>>> There are probably others on the list that understand the protocols
>>>>>
>>>> better
>>>>
>>>>> than me, so feel free to chime in.
>>>>>
>>>>> Bill
>>>>>
>>>>>
>>>>> [EMAIL PROTECTED] wrote:
>>>>>
>>>>> If this could be done, wouldn't it also block legitimate NDRs?
>>>>>
>>>>>
>>>>>
>>>>> -------------- Original message --------------
>>>>> From: wjh <[EMAIL PROTECTED]>
>>>>>
>>>>>
>>>>>> These types of NDRs drive me crazy. Here is one option if you have
>>>>>>
>> a
>>
>>>>>> pretty typical setup. Typical setup: incoming mail comes in
>>>>>>
> through
>
>>> a
>>>
>>>>>> spam gateway device/server, but outgoing mail leaves through your
>>>>>> exchange server. All legit NDRs should be communicating directly
>>>>>>
>>> with
>>>
>>>>>> the sending smtp server. If an NDR hits your spam server, then it
>>>>>>
>>>> would
>>>>
>>>>>> be backscatter from spam. You could set your spam gateway to block
>>>>>>
>>> or
>>>
>>>>>> quarantine these false NDRs. They do the user no good anyway.
>>>>>>
>>>>>> Bill
>>>>>>
>>>>>> [EMAIL PROTECTED] wrote:
>>>>>>
>>>>>>> Exchange 2003 SP2. We occaisionaly have users who get a few NDRs
>>>>>>>
>>>> over
>>>>
>>>>>>> a couple of days from reipients they did not send to because of
>>>>>>> spammers spoofing t heir e mail address. At 12:15 I have a user
>>>>>>>
>>> who
>>>
>>>>>>> began getting hundreds of NDRs obviously as a result of a
>>>>>>>
> spammer
>
>>>>>>> sedning out a bulk email package. These are coming in so fast
>>>>>>>
> the
>
>>>> user
>>>>
>>>>>>> is having a hard time keeping up with the deleting. Anyway to
>>>>>>>
>>>> prevent
>>>>
>>>>>>> this crap?
>>>>>>> Thanks.
>>>>>>>
>>>>>>>
>>>>>> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam
>>>>>>
> ~
>
>>>>>> ~ http://www.sunbeltsoftware.com/Ninja ~
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
>>>> ~ http://www.sunbeltsoftware.com/Ninja ~
>>>>
>>>>
>>>>
>>>> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
>>>> ~ http://www.sunbeltsoftware.com/Ninja ~
>>>>
>>>>
>>> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
>>> ~ http://www.sunbeltsoftware.com/Ninja ~
>>>
>>>
>>>
>>> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
>>> ~ http://www.sunbeltsoftware.com/Ninja ~
>>>
>>>
>> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
>> ~ http://www.sunbeltsoftware.com/Ninja ~
>>
>>
>>
>> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
>> ~ http://www.sunbeltsoftware.com/Ninja ~
>>
>>
>
> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
> ~ http://www.sunbeltsoftware.com/Ninja ~
>
>
>
> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
> ~ http://www.sunbeltsoftware.com/Ninja ~
>
~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~
~ http://www.sunbeltsoftware.com/Ninja ~
