|
|
|
Question : NDR attack?
|
|
Hey all,
Maybe someone can make light of this...
For the past 2 mornings I've come into work w/ 1100 (or so) emails from system administrator. The NDR is below:
____________________________________________
Your message did not reach some or all of the intended recipients.
Subject: Spam Notification: 1 New 1 Total
Sent: 3/27/2008 2:23 AM
The following recipient(s) cannot be reached:
[email protected] on 3/27/2008 2:23 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail38-va3-R.bigfish.com #5.0.0 X-Postfix; host MY IP ADDRESS[MY IP ADDRESS] said: 550 5.1.1 User unknown (in reply to RCPT TO command)>
____________________________________________
What I think is happening is someone spoofing one of my distribution group emails. They're sending emails out and I'm getting the kickbacks.
I'm using front bridge (MS) for spam. I checked the trace message system they have, I can see my group dist email in the FROM field.... I also setup a rule to reject all emails that are coming from MY DOMAIN... No internal messages should ever leave my domain...
What does this sound like to you guys?
|
Answer : NDR attack?
|
|
No need to turn off NDRs. When running exchange you just need to make sure you are running at least version 2003 and reject mail to unknown users before receipt.
If you have an older version of Exchange then there are extra appliances which can sit infront and spam filter the email while also pulling a list of valid addresses from exchange via ldap which enables it to reject mail to unknown users before receipt.
|
|
|
|
|
|
|
