I have recently been working on the Exchange 2000 NDR attack issue. For those who are not aware of this issue, I will explain.
It seems there is a certain group of desperate idiot spammers that believe that bouncing off good Exchange 2000 servers with non-delivery reports is a good way to deliver spam. They send tons of email at your Exchange 2000 server, with a different reply addresses forged for each email. The spam recipient apparently sees an NDR from your server, with spam attached. Your server did the delivery. (ooops) Moronic idea, must look like hell to the spam recipient, but apparently it is being done out there. There is also apparently little to nothing that can be done for the exchange server. There are a few third party items that I am looking into, but the real fix (supposedly) is to upgrade to Exchange 2003. See here: http://support.microsoft.com/?kbid=886208 The thing that apparently is the tip off for this issue is tons of queued up email to spam domains in your Exchange queues. The difficult part, it that it is hard to tell the difference between NDR attacks on your Exchange server as opposed to some idiot just using your domain for his reply address in a spam run. It has about the same affect as far as I can tell with the queues. Ok, that is the background... Now onto the problem as I see it. Let's say I do the fix with 2003 (which I have already done). So, recipient verification is now enabled on Exchange 2003. One small problem however. If I have SpamAssassin kill emails at lets say...20 points spam score, the email recipient never gets verified on my front end Postfix/SA server. I am receiving all the various bogus email addresses and sending them to the trash can where they belong. What would be better though, is for Postfix/SA to allow recipient verification to Exchange before Postfix/SA starts going to work at all. I would rather not make recipient files on the postfix server. Seems like there should be a better way. It would seem that ideally, the error "User unknown (in reply to RCPT TO command)" (or whatever) should be allowed to happen before SA starts testing the email. I could just let the high score emails go through without killing it, and that would probably work correctly as far as recipient verification goes with the Exchange 2003 server, but I would rather not do that. The legit users would see a flood of more ***spam*** tagged emails than they are used to seeing. So, I guess my question would be, does anyone know of a way to allow a natural recipient validation check downstream to the Exchange 2003 server before SA starts working, so that SA does not start testing on all these bogus email addresses. Again, I am looking for some solution that does not involve creating recipient verification maps on the Postfix server. Thanks in advance for any ideas.
