RE: Hundreds of NDRs
I am having that happen with me right now. I have gotten over 1300 today. I have just set up a rule to move them to a subfolder so I can go through them later just in case one of my rule terms catches a legit message. Craig M. Sauvigne System Administrator Winthrop University Rock Hill, SC 29733 [EMAIL PROTECTED] SC143 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 1:08 PM To: MS-Exchange Admin Issues Subject: Hundreds of NDRs Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing their email address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Hundreds of NDRs
Rule to send to delete folder or permanently delete. This would calm the user. Anyway to prevent? 1. Kill spammer. 2. Keep user of sites that collect email addresses. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 1:08 PM To: MS-Exchange Admin Issues Subject: Hundreds of NDRs Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing their email address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ** CONFIDENTIALITY NOTICE: The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Animal Health Supply ** ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing their email address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
3. Establish SPF records (OK, it doesn't do a lot) 4. Change everyone's SMTP address (the only way to be sure). -- Durf On Tue, Oct 7, 2008 at 1:15 PM, Brumbaugh, Luke [EMAIL PROTECTED] wrote: Rule to send to delete folder or permanently delete. This would calm the user. Anyway to prevent? 1. Kill spammer. 2. Keep user of sites that collect email addresses. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *Sent:* Tuesday, October 07, 2008 1:08 PM *To:* MS-Exchange Admin Issues *Subject:* Hundreds of NDRs Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing their email address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ** CONFIDENTIALITY NOTICE: The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Animal Health Supply ** -- -- Give a man a fish, and he'll eat for a day. Give a fish a man, and he'll eat for weeks! ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Good mail going to Junk folder
That is an awesome setting. I created a GPO for that a while back, helped things out a LOT. -Original Message- From: Troy Meyer [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2008 3:13 PM To: MS-Exchange Admin Issues Subject: RE: Good mail going to Junk folder My favorite outlook setting: Actions menu - junk email - junk email settings. On the safe senders tab automatically add people I email to the safe senders list. Ok it isn't my favorite, but close. -troy -Original Message- From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2008 12:22 PM To: MS-Exchange Admin Issues Subject: Good mail going to Junk folder All of a sudden one of my users (CEO of course) started getting mail in his Junk folder, and it's all legit stuff. These are emails from people he emails all the time. We have Exchange 2003 and Outlook 2003. As far as he knows he didn't make any changes. I double checked and his junk setting is set to low, where it has always been, and he doesn't have any mysterious new rules sending mail to the Junk folder nor are these senders blocked in the junk properties. Any ideas what might be going on? Paul Everett Lee Mental Health Center, Inc. providing services through Ruth Cooper Center for Behavioral Health Care and VISTA Behavioral Crisis Services. Visit our website at www.leementalhealth.org blocked::http://www.leementalhealth.org/ to learn more. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
From is originating from System Administrator, Mailer Daemon, verification prgrams etc so setting up a rule would be a turkey shoot. Thanks for your repsonse. -- Original message -- From: Durf [EMAIL PROTECTED] 3. Establish SPF records (OK, it doesn't do a lot) 4. Change everyone's SMTP address (the only way to be sure). -- Durf On Tue, Oct 7, 2008 at 1:15 PM, Brumbaugh, Luke [EMAIL PROTECTED] wrote: Rule to send to delete folder or permanently delete. This would calm the user. Anyway to prevent? 1. Kill spammer. 2. Keep user of sites that collect email addresses. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 1:08 PM To: MS-Exchange Admin Issues Subject: Hundreds of NDRs Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing their email address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ** CONFIDENTIALITY NOTICE: The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Animal Health Supply ** -- -- Give a man a fish, and he'll eat for a day. Give a fish a man, and he'll eat for weeks! ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh [EMAIL PROTECTED] These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing their email address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
On Tue, Oct 7, 2008 at 10:08 AM, [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing their email address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. Disconnecting your server from the Internet is the only sure way. If you use a Sender Authentication scheme (reply to this email before I let your email through kinda thing), it will help, but that cure is worse than the disease. Eventually, DKIM and other technologies will help, but they are a long ways off. Kurt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Hundreds of NDRs
Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing their email address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
It shouldn't. a legitimate NDR should happen while the sending and receiving SMTP servers talk to each other. legitimate sending server connects to the receiving server and the receiving server accepts the message or does not. Either way, it is communicating with the sending server directly...just like if you telnet to your smtp server port 25 and it gives you feedback. Backscatter email goes through spam server because it isn't originating from your smtp server. The only legit bounces may come for users who might have pop or imap accounts setup not to send through your smtp server. There are probably others on the list that understand the protocols better than me, so feel free to chime in. Bill [EMAIL PROTECTED] wrote: If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh [EMAIL PROTECTED] These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing t heir e mail address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Hundreds of NDRs
All legit NDRs should be communicating directly with the sending smtp server. That is not right. NDRs that are generated by the recipient servers or any other server en-route, use the same path to deliver the NDR to your mail system as any other mail. Conversely, if that was true, then spammers could send directly to your Exchange server and bypass your gateway filtering. And the problem with blocking NDRs that hit the gateway filtering is distinguishing the good from the bad. If the NDR contains the original spam message in its content, then spam filtering might take it out. Carl -Original Message- From: wjh [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 1:17 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing their email address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Hundreds of NDRs
I can think of a couple of NDR causes that may not be handled during the initial SMTP conversation - in gateway environments; 1. invalid recipient (if recipient validation is not handled by the gateway) 2. over quota (in gateway environment again) 3. delivery delay or failure notifications - if gateway can't connect to backend mail server for some period. In each of these cases, the gateway at the receiving end will accept the message, then it or the backend mail server will generate and send the NDR at a later time. From: wjh [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:04 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs It shouldn't. a legitimate NDR should happen while the sending and receiving SMTP servers talk to each other. legitimate sending server connects to the receiving server and the receiving server accepts the message or does not. Either way, it is communicating with the sending server directly...just like if you telnet to your smtp server port 25 and it gives you feedback. Backscatter email goes through spam server because it isn't originating from your smtp server. The only legit bounces may come for users who might have pop or imap accounts setup not to send through your smtp server. There are probably others on the list that understand the protocols better than me, so feel free to chime in. Bill [EMAIL PROTECTED] wrote: If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing t heir e mail address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
Unfortunately, too many mail servers are configured to accept all mail, regardless of whether or not the recipient exists. Only then do they check for a recipient, and puke out an NDR. There are a *LOT* of misconfigured mail servers in the world. Blocking NDRs won't work. Kurt On Tue, Oct 7, 2008 at 11:03 AM, wjh [EMAIL PROTECTED] wrote: It shouldn't. a legitimate NDR should happen while the sending and receiving SMTP servers talk to each other. legitimate sending server connects to the receiving server and the receiving server accepts the message or does not. Either way, it is communicating with the sending server directly...just like if you telnet to your smtp server port 25 and it gives you feedback. Backscatter email goes through spam server because it isn't originating from your smtp server. The only legit bounces may come for users who might have pop or imap accounts setup not to send through your smtp server. There are probably others on the list that understand the protocols better than me, so feel free to chime in. Bill [EMAIL PROTECTED] wrote: If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh [EMAIL PROTECTED] These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing t heir e mail address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
Oh, yeah, the last two that Don mentions are indeed legitimate sources of NDRs that won't happen during the initial SMTP conversation from the sender to the recipient. However, the first one (where an NDR is generated after receipt for a non-valid recipient) is only legitimate when sending to a DL on a gateway that isn't kept up to date. Kurt On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews [EMAIL PROTECTED] wrote: I can think of a couple of NDR causes that may not be handled during the initial SMTP conversation – in gateway environments; 1. invalid recipient (if recipient validation is not handled by the gateway) 2. over quota (in gateway environment again) 3. delivery delay or failure notifications – if gateway can't connect to backend mail server for some period. In each of these cases, the gateway at the receiving end will accept the message, then it or the backend mail server will generate and send the NDR at a later time. From: wjh [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:04 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs It shouldn't. a legitimate NDR should happen while the sending and receiving SMTP servers talk to each other. legitimate sending server connects to the receiving server and the receiving server accepts the message or does not. Either way, it is communicating with the sending server directly...just like if you telnet to your smtp server port 25 and it gives you feedback. Backscatter email goes through spam server because it isn't originating from your smtp server. The only legit bounces may come for users who might have pop or imap accounts setup not to send through your smtp server. There are probably others on the list that understand the protocols better than me, so feel free to chime in. Bill [EMAIL PROTECTED] wrote: If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh [EMAIL PROTECTED] These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing t heir e mail address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Commercial for Michael B. Smith's upcoming book
Just a plug for M's upcoming book. It can now be pre-ordered thru Amazon. http://www.amazon.com/Monitoring-Exchange-Server-Operations-Manager/dp/04701 48950/ref=sr_1_1?ie=UTF8 http://www.amazon.com/Monitoring-Exchange-Server-Operations-Manager/dp/0470 148950/ref=sr_1_1?ie=UTF8s=booksqid=1223406597sr=8-1 s=booksqid=1223406597sr=8-1 Webster ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Hundreds of NDRs
Upgrading to a gateway product that does recipient validation a couple of years ago was a huge benefit - and I'm ever so happy that it also detects and auto-blocks DHA's and a number of other mis-behaviors. -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:45 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs Oh, yeah, the last two that Don mentions are indeed legitimate sources of NDRs that won't happen during the initial SMTP conversation from the sender to the recipient. However, the first one (where an NDR is generated after receipt for a non-valid recipient) is only legitimate when sending to a DL on a gateway that isn't kept up to date. Kurt On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews [EMAIL PROTECTED] wrote: I can think of a couple of NDR causes that may not be handled during the initial SMTP conversation - in gateway environments; 1. invalid recipient (if recipient validation is not handled by the gateway) 2. over quota (in gateway environment again) 3. delivery delay or failure notifications - if gateway can't connect to backend mail server for some period. In each of these cases, the gateway at the receiving end will accept the message, then it or the backend mail server will generate and send the NDR at a later time. From: wjh [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:04 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs It shouldn't. a legitimate NDR should happen while the sending and receiving SMTP servers talk to each other. legitimate sending server connects to the receiving server and the receiving server accepts the message or does not. Either way, it is communicating with the sending server directly...just like if you telnet to your smtp server port 25 and it gives you feedback. Backscatter email goes through spam server because it isn't originating from your smtp server. The only legit bounces may come for users who might have pop or imap accounts setup not to send through your smtp server. There are probably others on the list that understand the protocols better than me, so feel free to chime in. Bill [EMAIL PROTECTED] wrote: If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh [EMAIL PROTECTED] These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing t heir e mail address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
DHA? Kurt On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews [EMAIL PROTECTED] wrote: Upgrading to a gateway product that does recipient validation a couple of years ago was a huge benefit - and I'm ever so happy that it also detects and auto-blocks DHA's and a number of other mis-behaviors. -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:45 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs Oh, yeah, the last two that Don mentions are indeed legitimate sources of NDRs that won't happen during the initial SMTP conversation from the sender to the recipient. However, the first one (where an NDR is generated after receipt for a non-valid recipient) is only legitimate when sending to a DL on a gateway that isn't kept up to date. Kurt On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews [EMAIL PROTECTED] wrote: I can think of a couple of NDR causes that may not be handled during the initial SMTP conversation - in gateway environments; 1. invalid recipient (if recipient validation is not handled by the gateway) 2. over quota (in gateway environment again) 3. delivery delay or failure notifications - if gateway can't connect to backend mail server for some period. In each of these cases, the gateway at the receiving end will accept the message, then it or the backend mail server will generate and send the NDR at a later time. From: wjh [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:04 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs It shouldn't. a legitimate NDR should happen while the sending and receiving SMTP servers talk to each other. legitimate sending server connects to the receiving server and the receiving server accepts the message or does not. Either way, it is communicating with the sending server directly...just like if you telnet to your smtp server port 25 and it gives you feedback. Backscatter email goes through spam server because it isn't originating from your smtp server. The only legit bounces may come for users who might have pop or imap accounts setup not to send through your smtp server. There are probably others on the list that understand the protocols better than me, so feel free to chime in. Bill [EMAIL PROTECTED] wrote: If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh [EMAIL PROTECTED] These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing t heir e mail address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Hundreds of NDRs
Sorry, Directory Harvesting Attack -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 12:35 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs DHA? Kurt On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews [EMAIL PROTECTED] wrote: Upgrading to a gateway product that does recipient validation a couple of years ago was a huge benefit - and I'm ever so happy that it also detects and auto-blocks DHA's and a number of other mis-behaviors. -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:45 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs Oh, yeah, the last two that Don mentions are indeed legitimate sources of NDRs that won't happen during the initial SMTP conversation from the sender to the recipient. However, the first one (where an NDR is generated after receipt for a non-valid recipient) is only legitimate when sending to a DL on a gateway that isn't kept up to date. Kurt On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews [EMAIL PROTECTED] wrote: I can think of a couple of NDR causes that may not be handled during the initial SMTP conversation - in gateway environments; 1. invalid recipient (if recipient validation is not handled by the gateway) 2. over quota (in gateway environment again) 3. delivery delay or failure notifications - if gateway can't connect to backend mail server for some period. In each of these cases, the gateway at the receiving end will accept the message, then it or the backend mail server will generate and send the NDR at a later time. From: wjh [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:04 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs It shouldn't. a legitimate NDR should happen while the sending and receiving SMTP servers talk to each other. legitimate sending server connects to the receiving server and the receiving server accepts the message or does not. Either way, it is communicating with the sending server directly...just like if you telnet to your smtp server port 25 and it gives you feedback. Backscatter email goes through spam server because it isn't originating from your smtp server. The only legit bounces may come for users who might have pop or imap accounts setup not to send through your smtp server. There are probably others on the list that understand the protocols better than me, so feel free to chime in. Bill [EMAIL PROTECTED] wrote: If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh [EMAIL PROTECTED] These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing t heir e mail address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
Ah. How does it detect those, especially if they're distributed? On Tue, Oct 7, 2008 at 12:42 PM, Don Andrews [EMAIL PROTECTED] wrote: Sorry, Directory Harvesting Attack -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 12:35 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs DHA? Kurt On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews [EMAIL PROTECTED] wrote: Upgrading to a gateway product that does recipient validation a couple of years ago was a huge benefit - and I'm ever so happy that it also detects and auto-blocks DHA's and a number of other mis-behaviors. -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:45 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs Oh, yeah, the last two that Don mentions are indeed legitimate sources of NDRs that won't happen during the initial SMTP conversation from the sender to the recipient. However, the first one (where an NDR is generated after receipt for a non-valid recipient) is only legitimate when sending to a DL on a gateway that isn't kept up to date. Kurt On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews [EMAIL PROTECTED] wrote: I can think of a couple of NDR causes that may not be handled during the initial SMTP conversation - in gateway environments; 1. invalid recipient (if recipient validation is not handled by the gateway) 2. over quota (in gateway environment again) 3. delivery delay or failure notifications - if gateway can't connect to backend mail server for some period. In each of these cases, the gateway at the receiving end will accept the message, then it or the backend mail server will generate and send the NDR at a later time. From: wjh [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:04 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs It shouldn't. a legitimate NDR should happen while the sending and receiving SMTP servers talk to each other. legitimate sending server connects to the receiving server and the receiving server accepts the message or does not. Either way, it is communicating with the sending server directly...just like if you telnet to your smtp server port 25 and it gives you feedback. Backscatter email goes through spam server because it isn't originating from your smtp server. The only legit bounces may come for users who might have pop or imap accounts setup not to send through your smtp server. There are probably others on the list that understand the protocols better than me, so feel free to chime in. Bill [EMAIL PROTECTED] wrote: If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh [EMAIL PROTECTED] These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing t heir e mail address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Hundreds of NDRs
It can't detect distributed - the detection is per IP - 30% invalid addresses over a 10 minute period is the threshold - generates an automatic 24 hour block - which is usually sufficient for bots and at times will convince companies with out of date DLs to update them. Have had 10495 connections rejected today due to DHA blocks. -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 12:53 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs Ah. How does it detect those, especially if they're distributed? On Tue, Oct 7, 2008 at 12:42 PM, Don Andrews [EMAIL PROTECTED] wrote: Sorry, Directory Harvesting Attack -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 12:35 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs DHA? Kurt On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews [EMAIL PROTECTED] wrote: Upgrading to a gateway product that does recipient validation a couple of years ago was a huge benefit - and I'm ever so happy that it also detects and auto-blocks DHA's and a number of other mis-behaviors. -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:45 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs Oh, yeah, the last two that Don mentions are indeed legitimate sources of NDRs that won't happen during the initial SMTP conversation from the sender to the recipient. However, the first one (where an NDR is generated after receipt for a non-valid recipient) is only legitimate when sending to a DL on a gateway that isn't kept up to date. Kurt On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews [EMAIL PROTECTED] wrote: I can think of a couple of NDR causes that may not be handled during the initial SMTP conversation - in gateway environments; 1. invalid recipient (if recipient validation is not handled by the gateway) 2. over quota (in gateway environment again) 3. delivery delay or failure notifications - if gateway can't connect to backend mail server for some period. In each of these cases, the gateway at the receiving end will accept the message, then it or the backend mail server will generate and send the NDR at a later time. From: wjh [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:04 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs It shouldn't. a legitimate NDR should happen while the sending and receiving SMTP servers talk to each other. legitimate sending server connects to the receiving server and the receiving server accepts the message or does not. Either way, it is communicating with the sending server directly...just like if you telnet to your smtp server port 25 and it gives you feedback. Backscatter email goes through spam server because it isn't originating from your smtp server. The only legit bounces may come for users who might have pop or imap accounts setup not to send through your smtp server. There are probably others on the list that understand the protocols better than me, so feel free to chime in. Bill [EMAIL PROTECTED] wrote: If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh [EMAIL PROTECTED] These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing t heir e mail address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~
Re: Hundreds of NDRs
That's a respectable number... On Tue, Oct 7, 2008 at 1:02 PM, Don Andrews [EMAIL PROTECTED] wrote: It can't detect distributed - the detection is per IP - 30% invalid addresses over a 10 minute period is the threshold - generates an automatic 24 hour block - which is usually sufficient for bots and at times will convince companies with out of date DLs to update them. Have had 10495 connections rejected today due to DHA blocks. -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 12:53 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs Ah. How does it detect those, especially if they're distributed? On Tue, Oct 7, 2008 at 12:42 PM, Don Andrews [EMAIL PROTECTED] wrote: Sorry, Directory Harvesting Attack -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 12:35 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs DHA? Kurt On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews [EMAIL PROTECTED] wrote: Upgrading to a gateway product that does recipient validation a couple of years ago was a huge benefit - and I'm ever so happy that it also detects and auto-blocks DHA's and a number of other mis-behaviors. -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:45 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs Oh, yeah, the last two that Don mentions are indeed legitimate sources of NDRs that won't happen during the initial SMTP conversation from the sender to the recipient. However, the first one (where an NDR is generated after receipt for a non-valid recipient) is only legitimate when sending to a DL on a gateway that isn't kept up to date. Kurt On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews [EMAIL PROTECTED] wrote: I can think of a couple of NDR causes that may not be handled during the initial SMTP conversation - in gateway environments; 1. invalid recipient (if recipient validation is not handled by the gateway) 2. over quota (in gateway environment again) 3. delivery delay or failure notifications - if gateway can't connect to backend mail server for some period. In each of these cases, the gateway at the receiving end will accept the message, then it or the backend mail server will generate and send the NDR at a later time. From: wjh [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:04 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs It shouldn't. a legitimate NDR should happen while the sending and receiving SMTP servers talk to each other. legitimate sending server connects to the receiving server and the receiving server accepts the message or does not. Either way, it is communicating with the sending server directly...just like if you telnet to your smtp server port 25 and it gives you feedback. Backscatter email goes through spam server because it isn't originating from your smtp server. The only legit bounces may come for users who might have pop or imap accounts setup not to send through your smtp server. There are probably others on the list that understand the protocols better than me, so feel free to chime in. Bill [EMAIL PROTECTED] wrote: If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh [EMAIL PROTECTED] These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing t heir e mail address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~
Exchange Server 207 sp1 ru4
There had been some questions in this forum about when it would be re-released. Well, the answer is today. http://support.microsoft.com/?kbid=952580 and http://www.microsoft.com/downloads/details.aspx?FamilyID=8b492ed2-ea92-412f- a852-3aa1c58d9499 http://www.microsoft.com/downloads/details.aspx?FamilyID=8b492ed2-ea92-412f -a852-3aa1c58d9499DisplayLang=en DisplayLang=en Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael Link with me at: http://www.linkedin.com/in/theessentialexchange ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Hundreds of NDRs
Correction, 25825 - the 10k number was for one of the 2 clustered devices ... and 150493 from DNSBL, 560213 for Manual block (including one that was giving us about 60k/hr until it dropped out) -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 1:18 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs That's a respectable number... On Tue, Oct 7, 2008 at 1:02 PM, Don Andrews [EMAIL PROTECTED] wrote: It can't detect distributed - the detection is per IP - 30% invalid addresses over a 10 minute period is the threshold - generates an automatic 24 hour block - which is usually sufficient for bots and at times will convince companies with out of date DLs to update them. Have had 10495 connections rejected today due to DHA blocks. -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 12:53 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs Ah. How does it detect those, especially if they're distributed? On Tue, Oct 7, 2008 at 12:42 PM, Don Andrews [EMAIL PROTECTED] wrote: Sorry, Directory Harvesting Attack -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 12:35 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs DHA? Kurt On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews [EMAIL PROTECTED] wrote: Upgrading to a gateway product that does recipient validation a couple of years ago was a huge benefit - and I'm ever so happy that it also detects and auto-blocks DHA's and a number of other mis-behaviors. -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:45 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs Oh, yeah, the last two that Don mentions are indeed legitimate sources of NDRs that won't happen during the initial SMTP conversation from the sender to the recipient. However, the first one (where an NDR is generated after receipt for a non-valid recipient) is only legitimate when sending to a DL on a gateway that isn't kept up to date. Kurt On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews [EMAIL PROTECTED] wrote: I can think of a couple of NDR causes that may not be handled during the initial SMTP conversation - in gateway environments; 1. invalid recipient (if recipient validation is not handled by the gateway) 2. over quota (in gateway environment again) 3. delivery delay or failure notifications - if gateway can't connect to backend mail server for some period. In each of these cases, the gateway at the receiving end will accept the message, then it or the backend mail server will generate and send the NDR at a later time. From: wjh [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:04 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs It shouldn't. a legitimate NDR should happen while the sending and receiving SMTP servers talk to each other. legitimate sending server connects to the receiving server and the receiving server accepts the message or does not. Either way, it is communicating with the sending server directly...just like if you telnet to your smtp server port 25 and it gives you feedback. Backscatter email goes through spam server because it isn't originating from your smtp server. The only legit bounces may come for users who might have pop or imap accounts setup not to send through your smtp server. There are probably others on the list that understand the protocols better than me, so feel free to chime in. Bill [EMAIL PROTECTED] wrote: If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh [EMAIL PROTECTED] These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam server, then it would be backscatter from spam. You could set your spam gateway to block or quarantine these false NDRs. They do the user no good anyway. Bill [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing t heir e mail address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with
Re: Hundreds of NDRs
Can you see this: this is DHS attacks the past week. not shabby: 10/7/2008 240188 10/6/2008 293475 10/5/2008 317575 10/4/2008 344490 10/3/2008 259610 10/2/2008 284496 10/1/2008 272972 9/30/2008 359911 Don Andrews wrote: Correction, 25825 - the 10k number was for one of the 2 clustered devices ... and 150493 from DNSBL, 560213 for Manual block (including one that was giving us about 60k/hr until it dropped out) -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 1:18 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs That's a respectable number... On Tue, Oct 7, 2008 at 1:02 PM, Don Andrews [EMAIL PROTECTED] wrote: It can't detect distributed - the detection is per IP - 30% invalid addresses over a 10 minute period is the threshold - generates an automatic 24 hour block - which is usually sufficient for bots and at times will convince companies with out of date DLs to update them. Have had 10495 connections rejected today due to DHA blocks. -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 12:53 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs Ah. How does it detect those, especially if they're distributed? On Tue, Oct 7, 2008 at 12:42 PM, Don Andrews [EMAIL PROTECTED] wrote: Sorry, Directory Harvesting Attack -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 12:35 PM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs DHA? Kurt On Tue, Oct 7, 2008 at 12:18 PM, Don Andrews [EMAIL PROTECTED] wrote: Upgrading to a gateway product that does recipient validation a couple of years ago was a huge benefit - and I'm ever so happy that it also detects and auto-blocks DHA's and a number of other mis-behaviors. -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:45 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs Oh, yeah, the last two that Don mentions are indeed legitimate sources of NDRs that won't happen during the initial SMTP conversation from the sender to the recipient. However, the first one (where an NDR is generated after receipt for a non-valid recipient) is only legitimate when sending to a DL on a gateway that isn't kept up to date. Kurt On Tue, Oct 7, 2008 at 11:18 AM, Don Andrews [EMAIL PROTECTED] wrote: I can think of a couple of NDR causes that may not be handled during the initial SMTP conversation - in gateway environments; 1. invalid recipient (if recipient validation is not handled by the gateway) 2. over quota (in gateway environment again) 3. delivery delay or failure notifications - if gateway can't connect to backend mail server for some period. In each of these cases, the gateway at the receiving end will accept the message, then it or the backend mail server will generate and send the NDR at a later time. From: wjh [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 11:04 AM To: MS-Exchange Admin Issues Subject: Re: Hundreds of NDRs It shouldn't. a legitimate NDR should happen while the sending and receiving SMTP servers talk to each other. legitimate sending server connects to the receiving server and the receiving server accepts the message or does not. Either way, it is communicating with the sending server directly...just like if you telnet to your smtp server port 25 and it gives you feedback. Backscatter email goes through spam server because it isn't originating from your smtp server. The only legit bounces may come for users who might have pop or imap accounts setup not to send through your smtp server. There are probably others on the list that understand the protocols better than me, so feel free to chime in. Bill [EMAIL PROTECTED] wrote: If this could be done, wouldn't it also block legitimate NDRs? -- Original message -- From: wjh [EMAIL PROTECTED] These types of NDRs drive me crazy. Here is one option if you have a pretty typical setup. Typical setup: incoming mail comes in through a spam gateway device/server, but outgoing mail leaves through your exchange server. All legit NDRs should be communicating directly with the sending smtp server. If an NDR hits your spam
RE: Exchange Server 207 sp1 ru4
Yes, that error has already been reported. And I can't tell you when UR5 is scheduled. Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael Link with me at: http://www.linkedin.com/in/theessentialexchange From: Webster [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2008 5:08 PM To: MS-Exchange Admin Issues Subject: RE: Exchange Server 207 sp1 ru4 From: Michael B. Smith [mailto:[EMAIL PROTECTED] Subject: Exchange Server 207 sp1 ru4 There had been some questions in this forum about when it would be re-released. Well, the answer is today. http://support.microsoft.com/?kbid=952580 and So when are they going to release UR5? 954058 http://support.microsoft.com/kb/954058/ (http://support.microsoft.com/kb/954058/) You can change the method for transfer encoding after you apply Update Rollup 5 for Exchange Server 2007 Service Pack 1 Webster ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Exchange Server 207 sp1 ru4
From: Michael B. Smith [mailto:[EMAIL PROTECTED] Subject: Exchange Server 207 sp1 ru4 There had been some questions in this forum about when it would be re-released. Well, the answer is today. http://support.microsoft.com/?kbid=952580 and So when are they going to release UR5? 954058 http://support.microsoft.com/kb/954058/ (http://support.microsoft.com/kb/954058/) You can change the method for transfer encoding after you apply Update Rollup 5 for Exchange Server 2007 Service Pack 1 Webster ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Hundreds of NDRs
This is called backscatter. Google it for more info. You can *help* prevent this before it happens by publishing SPF/Sender-ID records. Next, you can filter based on missing Message-ID headers that should exist in legitimate NDRs if the original email was from your domain. On Tue, Oct 7, 2008 at 1:08 PM, [EMAIL PROTECTED] wrote: Exchange 2003 SP2. We occaisionaly have users who get a few NDRs over a couple of days from reipients they did not send to because of spammers spoofing their email address. At 12:15 I have a user who began getting hundreds of NDRs obviously as a result of a spammer sedning out a bulk email package. These are coming in so fast the user is having a hard time keeping up with the deleting. Anyway to prevent this crap? Thanks. -- ME2 ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
