Re: Hundreds of NDRs
This is called "backscatter". Google it for more info. You can *help* prevent this before it happens by publishing SPF/Sender-ID records. Next, you can filter based on missing Message-ID headers that should exist in legitimate NDRs if the original email was from your domain. On Tue, Oct 7, 2008 at 1:08 PM, <[EMAIL PROTECTED]> wrote: > Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a > couple of days from reipients they did not send to because of spammers > spoofing their email address. At 12:15 I have a user who began getting > hundreds of NDRs obviously as a result of a spammer sedning out a bulk email > package. These are coming in so fast the user is having a hard time keeping > up with the deleting. Anyway to prevent this crap? > Thanks. > > -- ME2 ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
Can you see this: this is DHS attacks the past week. not shabby: 10/7/2008 240188 10/6/2008 293475 10/5/2008 317575 10/4/2008 344490 10/3/2008 259610 10/2/2008 284496 10/1/2008 272972 9/30/2008 359911 Don Andrews wrote: > Correction, 25825 - the 10k number was for one of the 2 clustered > devices ... and 150493 from DNSBL, 560213 for Manual block (including > one that was giving us about 60k/hr until it dropped out) > > -Original Message- > From: Kurt Buff [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2008 1:18 PM > To: MS-Exchange Admin Issues > Subject: Re: Hundreds of NDRs > > That's a respectable number... > > On Tue, Oct 7, 2008 at 1:02 PM, Don Andrews <[EMAIL PROTECTED]> > wrote: > >> It can't detect distributed - the detection is per IP - 30% invalid >> addresses over a 10 minute period is the threshold - generates an >> automatic 24 hour block - which is usually sufficient for bots and at >> times will convince companies with out of date DLs to update them. >> > Have > >> had 10495 connections rejected today due to DHA blocks. >> >> -Original Message- >> From: Kurt Buff [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, October 07, 2008 12:53 PM >> To: MS-Exchange Admin Issues >> Subject: Re: Hundreds of NDRs >> >> Ah. How does it detect those, especially if they're distributed? >> >> On Tue, Oct 7, 2008 at 12:42 PM, Don Andrews <[EMAIL PROTECTED]> >> wrote: >> >>> Sorry, Directory Harvesting Attack >>> >>> -Original Message- >>> From: Kurt Buff [mailto:[EMAIL PROTECTED] >>> Sent: Tuesday, October 07, 2008 12:35 PM >>> To: MS-Exchange Admin Issues >>> Subject: Re: Hundreds of NDRs >>> >>> DHA? >>> >>> Kurt >>> >>> On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews >>> > <[EMAIL PROTECTED]> > >>> wrote: >>> >>>> Upgrading to a gateway product that does recipient validation a >>>> >> couple >> >>>> of years ago was a huge benefit - and I'm ever so happy that it also >>>> detects and auto-blocks DHA's and a number of other mis-behaviors. >>>> >>>> >>>> >>>> -Original Message- >>>> From: Kurt Buff [mailto:[EMAIL PROTECTED] >>>> Sent: Tuesday, October 07, 2008 11:45 AM >>>> To: MS-Exchange Admin Issues >>>> Subject: Re: Hundreds of NDRs >>>> >>>> Oh, yeah, the last two that Don mentions are indeed legitimate >>>> >> sources >> >>>> of NDRs that won't happen during the initial SMTP conversation from >>>> the sender to the recipient. However, the first one (where an NDR is >>>> generated after receipt for a non-valid recipient) is only >>>> > legitimate > >>>> when sending to a DL on a gateway that isn't kept up to date. >>>> >>>> Kurt >>>> >>>> On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews >>>> >> <[EMAIL PROTECTED]> >> >>>> wrote: >>>> >>>>> I can think of a couple of NDR causes that may not be handled >>>>> > during > >>>> the >>>> >>>>> initial SMTP conversation - in gateway environments; >>>>> >>>>> 1. invalid recipient (if recipient validation is not handled by the >>>>> >>>> gateway) >>>> >>>>> 2. over quota (in gateway environment again) >>>>> >>>>> 3. delivery delay or failure notifications - if gateway can't >>>>> >> connect >> >>>> to >>>> >>>>> backend mail server for some period. >>>>> >>>>> >>>>> >>>>> In each of these cases, the gateway at the receiving end will >>>>> > accept > >>>> the >>>> >>>>> message, then it or the backend mail server will generate and send >>>>> >>> the >>> >>>> NDR >>>> >>>>> at a later time. >>>>> >>>>> >>>>> >>
RE: Hundreds of NDRs
Correction, 25825 - the 10k number was for one of the 2 clustered devices ... and 150493 from DNSBL, 560213 for Manual block (including one that was giving us about 60k/hr until it dropped out) -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 1:18 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs That's a respectable number... On Tue, Oct 7, 2008 at 1:02 PM, Don Andrews <[EMAIL PROTECTED]> wrote: > It can't detect distributed - the detection is per IP - 30% invalid > addresses over a 10 minute period is the threshold - generates an > automatic 24 hour block - which is usually sufficient for bots and at > times will convince companies with out of date DLs to update them. Have > had 10495 connections rejected today due to DHA blocks. > > -Original Message- > From: Kurt Buff [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2008 12:53 PM > To: MS-Exchange Admin Issues > Subject: Re: Hundreds of NDRs > > Ah. How does it detect those, especially if they're distributed? > > On Tue, Oct 7, 2008 at 12:42 PM, Don Andrews <[EMAIL PROTECTED]> > wrote: >> Sorry, Directory Harvesting Attack >> >> -Original Message- >> From: Kurt Buff [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, October 07, 2008 12:35 PM >> To: MS-Exchange Admin Issues >> Subject: Re: Hundreds of NDRs >> >> DHA? >> >> Kurt >> >> On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews <[EMAIL PROTECTED]> >> wrote: >>> Upgrading to a gateway product that does recipient validation a > couple >>> of years ago was a huge benefit - and I'm ever so happy that it also >>> detects and auto-blocks DHA's and a number of other mis-behaviors. >>> >>> >>> >>> -Original Message- >>> From: Kurt Buff [mailto:[EMAIL PROTECTED] >>> Sent: Tuesday, October 07, 2008 11:45 AM >>> To: MS-Exchange Admin Issues >>> Subject: Re: Hundreds of NDRs >>> >>> Oh, yeah, the last two that Don mentions are indeed legitimate > sources >>> of NDRs that won't happen during the initial SMTP conversation from >>> the sender to the recipient. However, the first one (where an NDR is >>> generated after receipt for a non-valid recipient) is only legitimate >>> when sending to a DL on a gateway that isn't kept up to date. >>> >>> Kurt >>> >>> On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews > <[EMAIL PROTECTED]> >>> wrote: >>>> I can think of a couple of NDR causes that may not be handled during >>> the >>>> initial SMTP conversation - in gateway environments; >>>> >>>> 1. invalid recipient (if recipient validation is not handled by the >>> gateway) >>>> >>>> 2. over quota (in gateway environment again) >>>> >>>> 3. delivery delay or failure notifications - if gateway can't > connect >>> to >>>> backend mail server for some period. >>>> >>>> >>>> >>>> In each of these cases, the gateway at the receiving end will accept >>> the >>>> message, then it or the backend mail server will generate and send >> the >>> NDR >>>> at a later time. >>>> >>>> >>>> >>>> From: wjh [mailto:[EMAIL PROTECTED] >>>> Sent: Tuesday, October 07, 2008 11:04 AM >>>> To: MS-Exchange Admin Issues >>>> Subject: Re: Hundreds of NDRs >>>> >>>> >>>> >>>> It shouldn't. a legitimate NDR should happen while the sending and >>>> receiving SMTP servers talk to each other. legitimate sending > server >>>> connects to the receiving server and the receiving server accepts > the >>>> message or does not. Either way, it is communicating with the >> sending >>>> server directly...just like if you telnet to your smtp server port > 25 >>> and it >>>> gives you feedback. Backscatter email goes through spam server >>> because it >>>> isn't originating from your smtp server. The only legit bounces may >>> come >>>> for users who might have pop or imap accounts setup not to send >>> through your >>>> smtp server. >>>> >>>> There are probably others on the list that understand the protocols >>> better >>>> than me, so feel free to chime in. >>>> >>>> B
Re: Hundreds of NDRs
That's a respectable number... On Tue, Oct 7, 2008 at 1:02 PM, Don Andrews <[EMAIL PROTECTED]> wrote: > It can't detect distributed - the detection is per IP - 30% invalid > addresses over a 10 minute period is the threshold - generates an > automatic 24 hour block - which is usually sufficient for bots and at > times will convince companies with out of date DLs to update them. Have > had 10495 connections rejected today due to DHA blocks. > > -Original Message- > From: Kurt Buff [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2008 12:53 PM > To: MS-Exchange Admin Issues > Subject: Re: Hundreds of NDRs > > Ah. How does it detect those, especially if they're distributed? > > On Tue, Oct 7, 2008 at 12:42 PM, Don Andrews <[EMAIL PROTECTED]> > wrote: >> Sorry, Directory Harvesting Attack >> >> -Original Message- >> From: Kurt Buff [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, October 07, 2008 12:35 PM >> To: MS-Exchange Admin Issues >> Subject: Re: Hundreds of NDRs >> >> DHA? >> >> Kurt >> >> On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews <[EMAIL PROTECTED]> >> wrote: >>> Upgrading to a gateway product that does recipient validation a > couple >>> of years ago was a huge benefit - and I'm ever so happy that it also >>> detects and auto-blocks DHA's and a number of other mis-behaviors. >>> >>> >>> >>> -Original Message- >>> From: Kurt Buff [mailto:[EMAIL PROTECTED] >>> Sent: Tuesday, October 07, 2008 11:45 AM >>> To: MS-Exchange Admin Issues >>> Subject: Re: Hundreds of NDRs >>> >>> Oh, yeah, the last two that Don mentions are indeed legitimate > sources >>> of NDRs that won't happen during the initial SMTP conversation from >>> the sender to the recipient. However, the first one (where an NDR is >>> generated after receipt for a non-valid recipient) is only legitimate >>> when sending to a DL on a gateway that isn't kept up to date. >>> >>> Kurt >>> >>> On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews > <[EMAIL PROTECTED]> >>> wrote: >>>> I can think of a couple of NDR causes that may not be handled during >>> the >>>> initial SMTP conversation - in gateway environments; >>>> >>>> 1. invalid recipient (if recipient validation is not handled by the >>> gateway) >>>> >>>> 2. over quota (in gateway environment again) >>>> >>>> 3. delivery delay or failure notifications - if gateway can't > connect >>> to >>>> backend mail server for some period. >>>> >>>> >>>> >>>> In each of these cases, the gateway at the receiving end will accept >>> the >>>> message, then it or the backend mail server will generate and send >> the >>> NDR >>>> at a later time. >>>> >>>> >>>> >>>> From: wjh [mailto:[EMAIL PROTECTED] >>>> Sent: Tuesday, October 07, 2008 11:04 AM >>>> To: MS-Exchange Admin Issues >>>> Subject: Re: Hundreds of NDRs >>>> >>>> >>>> >>>> It shouldn't. a legitimate NDR should happen while the sending and >>>> receiving SMTP servers talk to each other. legitimate sending > server >>>> connects to the receiving server and the receiving server accepts > the >>>> message or does not. Either way, it is communicating with the >> sending >>>> server directly...just like if you telnet to your smtp server port > 25 >>> and it >>>> gives you feedback. Backscatter email goes through spam server >>> because it >>>> isn't originating from your smtp server. The only legit bounces may >>> come >>>> for users who might have pop or imap accounts setup not to send >>> through your >>>> smtp server. >>>> >>>> There are probably others on the list that understand the protocols >>> better >>>> than me, so feel free to chime in. >>>> >>>> Bill >>>> >>>> >>>> [EMAIL PROTECTED] wrote: >>>> >>>> If this could be done, wouldn't it also block legitimate NDRs? >>>> >>>> >>>> >>>> -- Original message -- >>>> From: wjh <[EMAIL PROTECTED]> >>>>
RE: Hundreds of NDRs
It can't detect distributed - the detection is per IP - 30% invalid addresses over a 10 minute period is the threshold - generates an automatic 24 hour block - which is usually sufficient for bots and at times will convince companies with out of date DLs to update them. Have had 10495 connections rejected today due to DHA blocks. -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 12:53 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs Ah. How does it detect those, especially if they're distributed? On Tue, Oct 7, 2008 at 12:42 PM, Don Andrews <[EMAIL PROTECTED]> wrote: > Sorry, Directory Harvesting Attack > > -Original Message- > From: Kurt Buff [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2008 12:35 PM > To: MS-Exchange Admin Issues > Subject: Re: Hundreds of NDRs > > DHA? > > Kurt > > On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews <[EMAIL PROTECTED]> > wrote: >> Upgrading to a gateway product that does recipient validation a couple >> of years ago was a huge benefit - and I'm ever so happy that it also >> detects and auto-blocks DHA's and a number of other mis-behaviors. >> >> >> >> -Original Message- >> From: Kurt Buff [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, October 07, 2008 11:45 AM >> To: MS-Exchange Admin Issues >> Subject: Re: Hundreds of NDRs >> >> Oh, yeah, the last two that Don mentions are indeed legitimate sources >> of NDRs that won't happen during the initial SMTP conversation from >> the sender to the recipient. However, the first one (where an NDR is >> generated after receipt for a non-valid recipient) is only legitimate >> when sending to a DL on a gateway that isn't kept up to date. >> >> Kurt >> >> On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews <[EMAIL PROTECTED]> >> wrote: >>> I can think of a couple of NDR causes that may not be handled during >> the >>> initial SMTP conversation - in gateway environments; >>> >>> 1. invalid recipient (if recipient validation is not handled by the >> gateway) >>> >>> 2. over quota (in gateway environment again) >>> >>> 3. delivery delay or failure notifications - if gateway can't connect >> to >>> backend mail server for some period. >>> >>> >>> >>> In each of these cases, the gateway at the receiving end will accept >> the >>> message, then it or the backend mail server will generate and send > the >> NDR >>> at a later time. >>> >>> >>> >>> From: wjh [mailto:[EMAIL PROTECTED] >>> Sent: Tuesday, October 07, 2008 11:04 AM >>> To: MS-Exchange Admin Issues >>> Subject: Re: Hundreds of NDRs >>> >>> >>> >>> It shouldn't. a legitimate NDR should happen while the sending and >>> receiving SMTP servers talk to each other. legitimate sending server >>> connects to the receiving server and the receiving server accepts the >>> message or does not. Either way, it is communicating with the > sending >>> server directly...just like if you telnet to your smtp server port 25 >> and it >>> gives you feedback. Backscatter email goes through spam server >> because it >>> isn't originating from your smtp server. The only legit bounces may >> come >>> for users who might have pop or imap accounts setup not to send >> through your >>> smtp server. >>> >>> There are probably others on the list that understand the protocols >> better >>> than me, so feel free to chime in. >>> >>> Bill >>> >>> >>> [EMAIL PROTECTED] wrote: >>> >>> If this could be done, wouldn't it also block legitimate NDRs? >>> >>> >>> >>> -- Original message -- >>> From: wjh <[EMAIL PROTECTED]> >>> >>>> These types of NDRs drive me crazy. Here is one option if you have a >>>> pretty typical setup. Typical setup: incoming mail comes in through > a >>>> spam gateway device/server, but outgoing mail leaves through your >>>> exchange server. All legit NDRs should be communicating directly > with >>>> the sending smtp server. If an NDR hits your spam server, then it >> would >>>> be backscatter from spam. You could set your spam gateway to block > or >>>> quarantine these false NDRs. They do the user n
Re: Hundreds of NDRs
Ah. How does it detect those, especially if they're distributed? On Tue, Oct 7, 2008 at 12:42 PM, Don Andrews <[EMAIL PROTECTED]> wrote: > Sorry, Directory Harvesting Attack > > -Original Message- > From: Kurt Buff [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2008 12:35 PM > To: MS-Exchange Admin Issues > Subject: Re: Hundreds of NDRs > > DHA? > > Kurt > > On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews <[EMAIL PROTECTED]> > wrote: >> Upgrading to a gateway product that does recipient validation a couple >> of years ago was a huge benefit - and I'm ever so happy that it also >> detects and auto-blocks DHA's and a number of other mis-behaviors. >> >> >> >> -Original Message- >> From: Kurt Buff [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, October 07, 2008 11:45 AM >> To: MS-Exchange Admin Issues >> Subject: Re: Hundreds of NDRs >> >> Oh, yeah, the last two that Don mentions are indeed legitimate sources >> of NDRs that won't happen during the initial SMTP conversation from >> the sender to the recipient. However, the first one (where an NDR is >> generated after receipt for a non-valid recipient) is only legitimate >> when sending to a DL on a gateway that isn't kept up to date. >> >> Kurt >> >> On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews <[EMAIL PROTECTED]> >> wrote: >>> I can think of a couple of NDR causes that may not be handled during >> the >>> initial SMTP conversation - in gateway environments; >>> >>> 1. invalid recipient (if recipient validation is not handled by the >> gateway) >>> >>> 2. over quota (in gateway environment again) >>> >>> 3. delivery delay or failure notifications - if gateway can't connect >> to >>> backend mail server for some period. >>> >>> >>> >>> In each of these cases, the gateway at the receiving end will accept >> the >>> message, then it or the backend mail server will generate and send > the >> NDR >>> at a later time. >>> >>> >>> >>> From: wjh [mailto:[EMAIL PROTECTED] >>> Sent: Tuesday, October 07, 2008 11:04 AM >>> To: MS-Exchange Admin Issues >>> Subject: Re: Hundreds of NDRs >>> >>> >>> >>> It shouldn't. a legitimate NDR should happen while the sending and >>> receiving SMTP servers talk to each other. legitimate sending server >>> connects to the receiving server and the receiving server accepts the >>> message or does not. Either way, it is communicating with the > sending >>> server directly...just like if you telnet to your smtp server port 25 >> and it >>> gives you feedback. Backscatter email goes through spam server >> because it >>> isn't originating from your smtp server. The only legit bounces may >> come >>> for users who might have pop or imap accounts setup not to send >> through your >>> smtp server. >>> >>> There are probably others on the list that understand the protocols >> better >>> than me, so feel free to chime in. >>> >>> Bill >>> >>> >>> [EMAIL PROTECTED] wrote: >>> >>> If this could be done, wouldn't it also block legitimate NDRs? >>> >>> >>> >>> -- Original message -- >>> From: wjh <[EMAIL PROTECTED]> >>> >>>> These types of NDRs drive me crazy. Here is one option if you have a >>>> pretty typical setup. Typical setup: incoming mail comes in through > a >>>> spam gateway device/server, but outgoing mail leaves through your >>>> exchange server. All legit NDRs should be communicating directly > with >>>> the sending smtp server. If an NDR hits your spam server, then it >> would >>>> be backscatter from spam. You could set your spam gateway to block > or >>>> quarantine these false NDRs. They do the user no good anyway. >>>> >>>> Bill >>>> >>>> [EMAIL PROTECTED] wrote: >>>> > Exchange 2003 SP2. We occaisionaly have users who get a few NDRs >> over >>>> > a couple of days from reipients they did not send to because of >>>> > spammers spoofing t heir e mail address. At 12:15 I have a user > who >>>> > began getting hundreds of NDRs obviously as a result of a spammer >>>> > sedning out
RE: Hundreds of NDRs
Sorry, Directory Harvesting Attack -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 12:35 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs DHA? Kurt On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews <[EMAIL PROTECTED]> wrote: > Upgrading to a gateway product that does recipient validation a couple > of years ago was a huge benefit - and I'm ever so happy that it also > detects and auto-blocks DHA's and a number of other mis-behaviors. > > > > -Original Message- > From: Kurt Buff [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2008 11:45 AM > To: MS-Exchange Admin Issues > Subject: Re: Hundreds of NDRs > > Oh, yeah, the last two that Don mentions are indeed legitimate sources > of NDRs that won't happen during the initial SMTP conversation from > the sender to the recipient. However, the first one (where an NDR is > generated after receipt for a non-valid recipient) is only legitimate > when sending to a DL on a gateway that isn't kept up to date. > > Kurt > > On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews <[EMAIL PROTECTED]> > wrote: >> I can think of a couple of NDR causes that may not be handled during > the >> initial SMTP conversation - in gateway environments; >> >> 1. invalid recipient (if recipient validation is not handled by the > gateway) >> >> 2. over quota (in gateway environment again) >> >> 3. delivery delay or failure notifications - if gateway can't connect > to >> backend mail server for some period. >> >> >> >> In each of these cases, the gateway at the receiving end will accept > the >> message, then it or the backend mail server will generate and send the > NDR >> at a later time. >> >> >> >> From: wjh [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, October 07, 2008 11:04 AM >> To: MS-Exchange Admin Issues >> Subject: Re: Hundreds of NDRs >> >> >> >> It shouldn't. a legitimate NDR should happen while the sending and >> receiving SMTP servers talk to each other. legitimate sending server >> connects to the receiving server and the receiving server accepts the >> message or does not. Either way, it is communicating with the sending >> server directly...just like if you telnet to your smtp server port 25 > and it >> gives you feedback. Backscatter email goes through spam server > because it >> isn't originating from your smtp server. The only legit bounces may > come >> for users who might have pop or imap accounts setup not to send > through your >> smtp server. >> >> There are probably others on the list that understand the protocols > better >> than me, so feel free to chime in. >> >> Bill >> >> >> [EMAIL PROTECTED] wrote: >> >> If this could be done, wouldn't it also block legitimate NDRs? >> >> >> >> -- Original message -- >> From: wjh <[EMAIL PROTECTED]> >> >>> These types of NDRs drive me crazy. Here is one option if you have a >>> pretty typical setup. Typical setup: incoming mail comes in through a >>> spam gateway device/server, but outgoing mail leaves through your >>> exchange server. All legit NDRs should be communicating directly with >>> the sending smtp server. If an NDR hits your spam server, then it > would >>> be backscatter from spam. You could set your spam gateway to block or >>> quarantine these false NDRs. They do the user no good anyway. >>> >>> Bill >>> >>> [EMAIL PROTECTED] wrote: >>> > Exchange 2003 SP2. We occaisionaly have users who get a few NDRs > over >>> > a couple of days from reipients they did not send to because of >>> > spammers spoofing t heir e mail address. At 12:15 I have a user who >>> > began getting hundreds of NDRs obviously as a result of a spammer >>> > sedning out a bulk email package. These are coming in so fast the > user >>> > is having a hard time keeping up with the deleting. Anyway to > prevent >>> > this crap? >>> > Thanks. >>> > >>> >>> >>> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ >>> ~ http://www.sunbeltsoftware.com/Ninja ~ >> >> >> >> >> >> >> >> >> >> > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > ~ http://www.sunbeltsoftware.com/Ninja~ > > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > ~ http://www.sunbeltsoftware.com/Ninja~ > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
DHA? Kurt On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews <[EMAIL PROTECTED]> wrote: > Upgrading to a gateway product that does recipient validation a couple > of years ago was a huge benefit - and I'm ever so happy that it also > detects and auto-blocks DHA's and a number of other mis-behaviors. > > > > -Original Message- > From: Kurt Buff [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2008 11:45 AM > To: MS-Exchange Admin Issues > Subject: Re: Hundreds of NDRs > > Oh, yeah, the last two that Don mentions are indeed legitimate sources > of NDRs that won't happen during the initial SMTP conversation from > the sender to the recipient. However, the first one (where an NDR is > generated after receipt for a non-valid recipient) is only legitimate > when sending to a DL on a gateway that isn't kept up to date. > > Kurt > > On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews <[EMAIL PROTECTED]> > wrote: >> I can think of a couple of NDR causes that may not be handled during > the >> initial SMTP conversation - in gateway environments; >> >> 1. invalid recipient (if recipient validation is not handled by the > gateway) >> >> 2. over quota (in gateway environment again) >> >> 3. delivery delay or failure notifications - if gateway can't connect > to >> backend mail server for some period. >> >> >> >> In each of these cases, the gateway at the receiving end will accept > the >> message, then it or the backend mail server will generate and send the > NDR >> at a later time. >> >> >> >> From: wjh [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, October 07, 2008 11:04 AM >> To: MS-Exchange Admin Issues >> Subject: Re: Hundreds of NDRs >> >> >> >> It shouldn't. a legitimate NDR should happen while the sending and >> receiving SMTP servers talk to each other. legitimate sending server >> connects to the receiving server and the receiving server accepts the >> message or does not. Either way, it is communicating with the sending >> server directly...just like if you telnet to your smtp server port 25 > and it >> gives you feedback. Backscatter email goes through spam server > because it >> isn't originating from your smtp server. The only legit bounces may > come >> for users who might have pop or imap accounts setup not to send > through your >> smtp server. >> >> There are probably others on the list that understand the protocols > better >> than me, so feel free to chime in. >> >> Bill >> >> >> [EMAIL PROTECTED] wrote: >> >> If this could be done, wouldn't it also block legitimate NDRs? >> >> >> >> -- Original message -- >> From: wjh <[EMAIL PROTECTED]> >> >>> These types of NDRs drive me crazy. Here is one option if you have a >>> pretty typical setup. Typical setup: incoming mail comes in through a >>> spam gateway device/server, but outgoing mail leaves through your >>> exchange server. All legit NDRs should be communicating directly with >>> the sending smtp server. If an NDR hits your spam server, then it > would >>> be backscatter from spam. You could set your spam gateway to block or >>> quarantine these false NDRs. They do the user no good anyway. >>> >>> Bill >>> >>> [EMAIL PROTECTED] wrote: >>> > Exchange 2003 SP2. We occaisionaly have users who get a few NDRs > over >>> > a couple of days from reipients they did not send to because of >>> > spammers spoofing t heir e mail address. At 12:15 I have a user who >>> > began getting hundreds of NDRs obviously as a result of a spammer >>> > sedning out a bulk email package. These are coming in so fast the > user >>> > is having a hard time keeping up with the deleting. Anyway to > prevent >>> > this crap? >>> > Thanks. >>> > >>> >>> >>> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ >>> ~ http://www.sunbeltsoftware.com/Ninja ~ >> >> >> >> >> >> >> >> >> >> > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > ~ http://www.sunbeltsoftware.com/Ninja~ > > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > ~ http://www.sunbeltsoftware.com/Ninja~ > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Hundreds of NDRs
Upgrading to a gateway product that does recipient validation a couple of years ago was a huge benefit - and I'm ever so happy that it also detects and auto-blocks DHA's and a number of other mis-behaviors. -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:45 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs Oh, yeah, the last two that Don mentions are indeed legitimate sources of NDRs that won't happen during the initial SMTP conversation from the sender to the recipient. However, the first one (where an NDR is generated after receipt for a non-valid recipient) is only legitimate when sending to a DL on a gateway that isn't kept up to date. Kurt On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews <[EMAIL PROTECTED]> wrote: > I can think of a couple of NDR causes that may not be handled during the > initial SMTP conversation - in gateway environments; > > 1. invalid recipient (if recipient validation is not handled by the gateway) > > 2. over quota (in gateway environment again) > > 3. delivery delay or failure notifications - if gateway can't connect to > backend mail server for some period. > > > > In each of these cases, the gateway at the receiving end will accept the > message, then it or the backend mail server will generate and send the NDR > at a later time. > > > > From: wjh [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2008 11:04 AM > To: MS-Exchange Admin Issues > Subject: Re: Hundreds of NDRs > > > > It shouldn't. a legitimate NDR should happen while the sending and > receiving SMTP servers talk to each other. legitimate sending server > connects to the receiving server and the receiving server accepts the > message or does not. Either way, it is communicating with the sending > server directly...just like if you telnet to your smtp server port 25 and it > gives you feedback. Backscatter email goes through spam server because it > isn't originating from your smtp server. The only legit bounces may come > for users who might have pop or imap accounts setup not to send through your > smtp server. > > There are probably others on the list that understand the protocols better > than me, so feel free to chime in. > > Bill > > > [EMAIL PROTECTED] wrote: > > If this could be done, wouldn't it also block legitimate NDRs? > > > > -- Original message -- > From: wjh <[EMAIL PROTECTED]> > >> These types of NDRs drive me crazy. Here is one option if you have a >> pretty typical setup. Typical setup: incoming mail comes in through a >> spam gateway device/server, but outgoing mail leaves through your >> exchange server. All legit NDRs should be communicating directly with >> the sending smtp server. If an NDR hits your spam server, then it would >> be backscatter from spam. You could set your spam gateway to block or >> quarantine these false NDRs. They do the user no good anyway. >> >> Bill >> >> [EMAIL PROTECTED] wrote: >> > Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over >> > a couple of days from reipients they did not send to because of >> > spammers spoofing t heir e mail address. At 12:15 I have a user who >> > began getting hundreds of NDRs obviously as a result of a spammer >> > sedning out a bulk email package. These are coming in so fast the user >> > is having a hard time keeping up with the deleting. Anyway to prevent >> > this crap? >> > Thanks. >> > >> >> >> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ >> ~ http://www.sunbeltsoftware.com/Ninja ~ > > > > > > > > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
Oh, yeah, the last two that Don mentions are indeed legitimate sources of NDRs that won't happen during the initial SMTP conversation from the sender to the recipient. However, the first one (where an NDR is generated after receipt for a non-valid recipient) is only legitimate when sending to a DL on a gateway that isn't kept up to date. Kurt On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews <[EMAIL PROTECTED]> wrote: > I can think of a couple of NDR causes that may not be handled during the > initial SMTP conversation – in gateway environments; > > 1. invalid recipient (if recipient validation is not handled by the gateway) > > 2. over quota (in gateway environment again) > > 3. delivery delay or failure notifications – if gateway can't connect to > backend mail server for some period. > > > > In each of these cases, the gateway at the receiving end will accept the > message, then it or the backend mail server will generate and send the NDR > at a later time. > > > > From: wjh [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2008 11:04 AM > To: MS-Exchange Admin Issues > Subject: Re: Hundreds of NDRs > > > > It shouldn't. a legitimate NDR should happen while the sending and > receiving SMTP servers talk to each other. legitimate sending server > connects to the receiving server and the receiving server accepts the > message or does not. Either way, it is communicating with the sending > server directly...just like if you telnet to your smtp server port 25 and it > gives you feedback. Backscatter email goes through spam server because it > isn't originating from your smtp server. The only legit bounces may come > for users who might have pop or imap accounts setup not to send through your > smtp server. > > There are probably others on the list that understand the protocols better > than me, so feel free to chime in. > > Bill > > > [EMAIL PROTECTED] wrote: > > If this could be done, wouldn't it also block legitimate NDRs? > > > > -- Original message -- > From: wjh <[EMAIL PROTECTED]> > >> These types of NDRs drive me crazy. Here is one option if you have a >> pretty typical setup. Typical setup: incoming mail comes in through a >> spam gateway device/server, but outgoing mail leaves through your >> exchange server. All legit NDRs should be communicating directly with >> the sending smtp server. If an NDR hits your spam server, then it would >> be backscatter from spam. You could set your spam gateway to block or >> quarantine these false NDRs. They do the user no good anyway. >> >> Bill >> >> [EMAIL PROTECTED] wrote: >> > Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over >> > a couple of days from reipients they did not send to because of >> > spammers spoofing t heir e mail address. At 12:15 I have a user who >> > began getting hundreds of NDRs obviously as a result of a spammer >> > sedning out a bulk email package. These are coming in so fast the user >> > is having a hard time keeping up with the deleting. Anyway to prevent >> > this crap? >> > Thanks. >> > >> >> >> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ >> ~ http://www.sunbeltsoftware.com/Ninja ~ > > > > > > > > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
Unfortunately, too many mail servers are configured to accept all mail, regardless of whether or not the recipient exists. Only then do they check for a recipient, and puke out an NDR. There are a *LOT* of misconfigured mail servers in the world. Blocking NDRs won't work. Kurt On Tue, Oct 7, 2008 at 11:03 AM, wjh <[EMAIL PROTECTED]> wrote: > It shouldn't. a legitimate NDR should happen while the sending and > receiving SMTP servers talk to each other. legitimate sending server > connects to the receiving server and the receiving server accepts the > message or does not. Either way, it is communicating with the sending > server directly...just like if you telnet to your smtp server port 25 and it > gives you feedback. Backscatter email goes through spam server because it > isn't originating from your smtp server. The only legit bounces may come > for users who might have pop or imap accounts setup not to send through your > smtp server. > > There are probably others on the list that understand the protocols better > than me, so feel free to chime in. > > Bill > > > [EMAIL PROTECTED] wrote: > > If this could be done, wouldn't it also block legitimate NDRs? > > > -- Original message -- > From: wjh <[EMAIL PROTECTED]> > >> These types of NDRs drive me crazy. Here is one option if you have a >> pretty typical setup. Typical setup: incoming mail comes in through a >> spam gateway device/server, but outgoing mail leaves through your >> exchange server. All legit NDRs should be communicating directly with >> the sending smtp server. If an NDR hits your spam server, then it would >> be backscatter from spam. You could set your spam gateway to block or >> quarantine these false NDRs. They do the user no good anyway. >> >> Bill >> >> [EMAIL PROTECTED] wrote: >> > Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over >> > a couple of days from reipients they did not send to because of >> > spammers spoofing t heir e mail address. At 12:15 I have a user who >> > began getting hundreds of NDRs obviously as a result of a spammer >> > sedning out a bulk email package. These are coming in so fast the user >> > is having a hard time keeping up with the deleting. Anyway to prevent >> > this crap? >> > Thanks. >> > >> >> >> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ >> ~ http://www.sunbeltsoftware.com/Ninja ~ > > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Hundreds of NDRs
I can think of a couple of NDR causes that may not be handled during the initial SMTP conversation - in gateway environments; 1. invalid recipient (if recipient validation is not handled by the gateway) 2. over quota (in gateway environment again) 3. delivery delay or failure notifications - if gateway can't connect to backend mail server for some period. In each of these cases, the gateway at the receiving end will accept the message, then it or the backend mail server will generate and send the NDR at a later time. From: wjh [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:04 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs It shouldn't. a legitimate NDR should happen while the sending and receiving SMTP servers talk to each other. legitimate sending server connects to the receiving server and the receiving server accepts the message or does not. Either way, it is communicating with the sending server directly...just like if you telnet to your smtp server port 25 and it gives you feedback. Backscatter email goes through spam server because it isn't originating from your smtp server. The only legit bounces may come for users who might have pop or imap accounts setup not to send through your smtp server. There are probably others on the list that understand the protocols better than me, so feel free to chime in. Bill [EMAIL PROTECTED] wrote: If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh <[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> > These types of NDRs drive me crazy. Here is one option if you have a > pretty typical setup. Typical setup: incoming mail comes in through a > spam gateway device/server, but outgoing mail leaves through your > exchange server. All legit NDRs should be communicating directly with > the sending smtp server. If an NDR hits your spam server, then it would > be backscatter from spam. You could set your spam gateway to block or > quarantine these false NDRs. They do the user no good anyway. > > Bill > > [EMAIL PROTECTED] wrote: > > Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over > > a couple of days from reipients they did not send to because of > > spammers spoofing t heir e mail address. At 12:15 I have a user who > > began getting hundreds of NDRs obviously as a result of a spammer > > sedning out a bulk email package. These are coming in so fast the user > > is having a hard time keeping up with the deleting. Anyway to prevent > > this crap? > > Thanks. > > > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Hundreds of NDRs
> All legit NDRs should be communicating directly with > the sending smtp server. That is not right. NDRs that are generated by the recipient servers or any other server en-route, use the same path to deliver the NDR to your mail system as any other mail. Conversely, if that was true, then spammers could send directly to your Exchange server and bypass your gateway filtering. And the problem with blocking NDRs that hit the gateway filtering is distinguishing the good from the bad. If the NDR contains the original spam message in its content, then spam filtering might take it out. Carl -Original Message- From: wjh [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 1:17 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: > Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over > a couple of days from reipients they did not send to because of > spammers spoofing their email address. At 12:15 I have a user who > began getting hundreds of NDRs obviously as a result of a spammer > sedning out a bulk email package. These are coming in so fast the user > is having a hard time keeping up with the deleting. Anyway to prevent > this crap? > Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
It shouldn't. a legitimate NDR should happen while the sending and receiving SMTP servers talk to each other. legitimate sending server connects to the receiving server and the receiving server accepts the message or does not. Either way, it is communicating with the sending server directly...just like if you telnet to your smtp server port 25 and it gives you feedback. Backscatter email goes through spam server because it isn't originating from your smtp server. The only legit bounces may come for users who might have pop or imap accounts setup not to send through your smtp server. There are probably others on the list that understand the protocols better than me, so feel free to chime in. Bill [EMAIL PROTECTED] wrote: > If this could be done, wouldn't it also block legitimate NDRs? > > -- Original message -- > From: wjh <[EMAIL PROTECTED]> > > > These types of NDRs drive me crazy. Here is one option if you > have a > > pretty typical setup. Typical setup: incoming mail comes in > through a > > spam gateway device/server, but outgoing mail leaves through your > > exchange server. All legit NDRs should be communicating directly > with > > the sending smtp server. If an NDR hits your spam server, then > it would > > be backscatter from spam. You could set your spam gateway to > block or > > quarantine these false NDRs. They do the user no good anyway. > > > > Bill > > > > [EMAIL PROTECTED] wrote: > > > Exchange 2003 SP2. We occaisionaly have users who get a few > NDRs over > > > a couple of days from reipients they did not send to because of > > > spammers spoofing t heir e mail address. At 12:15 I have a > user who > > > began getting hundreds of NDRs obviously as a result of a spammer > > > sedning out a bulk email package. These are coming in so fast > the user > > > is having a hard time keeping up with the deleting. Anyway to > prevent > > > this crap? > > > Thanks. > > > > > > > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > > ~ http://www.sunbeltsoftware.com/Ninja ~ > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
On Tue, Oct 7, 2008 at 10:08 AM, <[EMAIL PROTECTED]> wrote: > Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a > couple of days from reipients they did not send to because of spammers > spoofing their email address. At 12:15 I have a user who began getting > hundreds of NDRs obviously as a result of a spammer sedning out a bulk email > package. These are coming in so fast the user is having a hard time keeping > up with the deleting. Anyway to prevent this crap? > Thanks. Disconnecting your server from the Internet is the only sure way. If you use a Sender Authentication scheme (reply to this email before I let your email through kinda thing), it will help, but that "cure" is worse than the disease. Eventually, DKIM and other technologies will help, but they are a long ways off. Kurt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh <[EMAIL PROTECTED]> > These types of NDRs drive me crazy. Here is one option if you have a > pretty typical setup. Typical setup: incoming mail comes in through a > spam gateway device/server, but outgoing mail leaves through your > exchange server. All legit NDRs should be communicating directly with > the sending smtp server. If an NDR hits your spam server, then it would > be backscatter from spam. You could set your spam gateway to block or > quarantine these false NDRs. They do the user no good anyway. > > Bill > > [EMAIL PROTECTED] wrote: > > Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over > > a couple of days from reipients they did not send to because of > > spammers spoofing their email address. At 12:15 I have a user who > > began getting hundreds of NDRs obviously as a result of a spammer > > sedning out a bulk email package. These are coming in so fast the user > > is having a hard time keeping up with the deleting. Anyway to prevent > > this crap? > > Thanks. > > > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
>From is originating from System Administrator, Mailer Daemon, verification >prgrams etc so setting up a rule would be a turkey shoot. Thanks for your >repsonse. -- Original message -- From: Durf <[EMAIL PROTECTED]> 3. Establish SPF records (OK, it doesn't do a lot) 4. Change everyone's SMTP address (the only way to be sure). -- Durf On Tue, Oct 7, 2008 at 1:15 PM, Brumbaugh, Luke <[EMAIL PROTECTED]> wrote: Rule to send to delete folder or permanently delete. This would calm the user. Anyway to prevent? 1. Kill spammer. 2. Keep user of sites that collect email addresses. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 1:08 PM To: MS-Exchange Admin Issues Subject: Hundreds of NDRs Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing their email address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ** CONFIDENTIALITY NOTICE: The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Animal Health Supply ** -- -- Give a man a fish, and he'll eat for a day. Give a fish a man, and he'll eat for weeks! ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
3. Establish SPF records (OK, it doesn't do a lot) 4. Change everyone's SMTP address (the only way to be sure). -- Durf On Tue, Oct 7, 2008 at 1:15 PM, Brumbaugh, Luke < [EMAIL PROTECTED]> wrote: > Rule to send to delete folder or permanently delete. > > This would calm the user. > > > > Anyway to prevent? > > 1. Kill spammer. > > 2. Keep user of sites that collect email addresses. > > > > > > > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > *Sent:* Tuesday, October 07, 2008 1:08 PM > *To:* MS-Exchange Admin Issues > *Subject:* Hundreds of NDRs > > > > Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a > couple of days from reipients they did not send to because of spammers > spoofing their email address. At 12:15 I have a user who began getting > hundreds of NDRs obviously as a result of a spammer sedning out a bulk email > package. These are coming in so fast the user is having a hard time keeping > up with the deleting. Anyway to prevent this crap? > > Thanks. > > > > > > ** > > CONFIDENTIALITY NOTICE: The information transmitted in this message is > intended only for the person or entity to which it is addressed and may > contain confidential and/or privileged material. Any review, retransmission, > dissemination or other use of this information by persons or entities other > than the intended recipient is prohibited. If you received this in error, > please contact the sender and destroy all copies of this document. Thank > you. > > Butler Animal Health Supply > > ** > > > > > -- -- Give a man a fish, and he'll eat for a day. Give a fish a man, and he'll eat for weeks! ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing their email address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Hundreds of NDRs
Rule to send to delete folder or permanently delete. This would calm the user. Anyway to prevent? 1. Kill spammer. 2. Keep user of sites that collect email addresses. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 1:08 PM To: MS-Exchange Admin Issues Subject: Hundreds of NDRs Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing their email address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ** CONFIDENTIALITY NOTICE: The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Animal Health Supply ** ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Hundreds of NDRs
I am having that happen with me right now. I have gotten over 1300 today. I have just set up a rule to move them to a subfolder so I can go through them later just in case one of my rule terms catches a legit message. Craig M. Sauvigne System Administrator Winthrop University Rock Hill, SC 29733 [EMAIL PROTECTED] SC143 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 1:08 PM To: MS-Exchange Admin Issues Subject: Hundreds of NDRs Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing their email address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~