
	Home > Ask the Microsoft Exchange Experts > Bharat Suneja: Server Administration Questions & Answers > How to determine if you're the target of a 'reverse NDR attack'

Ask The Exchange Expert: Questions & Answers

EMAIL THIS

How to determine if you're the target of a 'reverse NDR attack'

EXPERT RESPONSE FROM: Bharat Suneja

		Pose a Question

		Other Exchange Categories

		Meet all Exchange Experts
		Become an Expert for this site

Exchange Server tips, tutorials and expert advice

Digg This! StumbleUpon Del.icio.us

QUESTION POSED ON: 10 April 2006
My ISP called to report spamming issues associated with Microsoft Exchange on my Windows Small Business Server 2003. It appears that non-delivery reports (NDRs) are being sent from the postmaster. I have looked for hours, but I can't figure out how to turn this off. What else could it be?

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Bharat Suneja: Server Administration
	Tools to bulk modify Active Directory users in Exchange Server 2003
	Why can't POP3 clients receive Exchange Server email?
	Is it possible to set up an auto-reply message for Exchange DLs?
	Can I prevent users from deleting voice messages from a UM folder?
	Tools and methods for disabling IMAP and POP in Exchange Server 2003
	Share and sync calendar data between two Exchange Server sites
	Exchange event sink scripting error when configuring email disclaimer
	Change language settings for out-of-office messages
	Set up FQDN and bridgeheads for POP3 and IMAP4 email
	Share a user's calendar without giving access to the entire mailbox

Spam and virus protection

How to install Forefront Security for Exchange Server

Block Web beacons and protect OWA users from spam

Controlling spam in Exchange 2007 at the edge transport server level

How file-level antivirus software can harm your Exchange Server

Problems with email spoofing on SBS 2003

Exchange Insider e-zine

Securing your Exchange Server 2007 journaling archives

Troubleshooting Outlook Web Access issues on a 64-bit system

Microsoft Exchange Server security dos and don'ts

Troubleshooting Microsoft Exchange Server Event ID error 6009

Spam and virus protection Research

Small Business Server

Exchange Mailbag: POP3 settings and Outlook issues

Exchange Server 2003 collects email from only specific POP3 domains

Prevent duplicate appointments in Microsoft Outlook 2003 calendar

Problems with email spoofing on SBS 2003

Upgrading from Small Business Server (SBS) 2003 to Exchange Server 2007

Configure a POP3 connector to receive external email on SBS 2003

Connecting an Apple iPhone to Exchange Server on Windows SBS 2003

Configure SMTP connection limits in Exchange Server 2003 and SBS

Windows SBS and Exchange Server security configuration best practices

Migrating mailboxes from Exchange Server 5.5 to Windows SBS 2003

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

backscatter spam (SearchExchange.com)

greylist (SearchExchange.com)

image spam (SearchExchange.com)

KnujOn (SearchExchange.com)

Sender ID (SearchExchange.com)

spam confidence level (SearchExchange.com)

spamblock (SearchExchange.com)

spim (SearchExchange.com)

tarpitting (SearchExchange.com)

Vouch by Reference (VBR) (SearchExchange.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

VIEW MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A.

Most likely your server has been the target of a 'Reverse NDR attack.' Here are some symptoms of this type of attack:

Your Exchange Server queues have many messages waiting to be delivered to external recipients.
Your ISP notified you that your server is sending UCE (a.k.a. spam).
Store.exe and Inetinfo.exe use a lot of CPU cycles.
The Badmail folder -- located in exchsrvrmailrootvsi 1 -- fills up fast and the drive could potentially run out of space.
If you stop the SMTP service, your server returns to normal performance levels.

If most of the messages in your queues are from postmaster@yourdomain.com, you should configure Recipient Filtering on your server.

Please refer to the Microsoft Knowledge Base article 886208 to get detailed instructions on how to configure Recipient Filtering and clean up your queues.

MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A:

Not so fast. If you do this, spam will use directory harvesting on your server and may make things worse.

I would turn off non-delivery reports (NDRs) for messages that do not have a valid recipient. and just keep an eye out for misspelled email in the admin mailbox.
—Sam C.

Do you have comments on this Ask the Expert Q&A? Let us know.

Related information from SearchExchange.com:

Tip: Should you turn off your network's outbound SMTP (port 25)?

Tip: Excessive Exchange Server NDRs destroy DNS

On-Demand Webcast: Locking down Exchange Server

Learning Guide: How to fight spam on Exchange Server

Reference Center: Non-Delivery Report tips and resources

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Outlook Web Access (OWA) Tips and Advice

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2004 - 2009, TechTarget \| Read our Privacy Policy