NDR Spam Attack: Die Lösung

By default, Microsoft® Exchange Server accepts all messages received via SMTP protocol. In case the server is unable to find a recipient within system the message is returned to sender (non-delivery report, NDR). This approach, however, may cause potential security threat: since the sender’s address is not checked, the sender with malicious intentions may set any address as a reply-to address.

As anti-spam activities around the world are getting more and more widespread, spammers invent new ways of sending unsolicited mail. NDR-attack allows spammers bypass most of server side and client side spam check filters:

• since Exchange Server returns undelivered message as an attachment, spam filters that monitor message body and headers for specified keywords operate less then effective, passing such messages thru;
• many users delete unsolicited mail manually without reading it (this takes less than a second); however, when they see a message with ‘Undelivered Mail’ subject line they may open it and read the attached message, spending their time – what if they got a virus on their machine sending messages to recipients whose addresses are located in address book?;
• since the source for originating such mail is an “honest” server (that is not found in SPEWS or ORDB databases), sever filters, including the latest filters introduced in Microsoft Exchange 2003 Server will pass the message thru.

The consequences of such mailing thru your server may be awful:

• Administrator mailbox gets cluttered with NDR copies, making it easy to lose actually important messages;
• Server load may cause its malfunction or decrease its efficiency; if the number of connections is limited other mail server connections may be refused;
• Internet-connection load may cause spontaneous Internet speed slowdown for users on corporate network.

But all the aspects mentioned above will not worth a dime in comparison with the fact that your server gets to one of spam source lists. Getting out of this list is much harder than getting on the list. While you spend your time writing to spam list administrator explaining that some users were not quite right saying they were getting unsolicited mail from your server, your users may not send their messages out as well as they may not receive all the mail they expect to get. The most unpleasant experience is getting your server listed in open relay database (the list of servers accepting mail from any address and delivering it to the addressee - such servers are what all spammers are after). In this case, hundreds of spammers who monitor open relays database will try to use your server to send unsolicited mail. For several weeks, while spam database program does not make sure your server is closed, your server should expect serious loads. And if there are spammers who use NDR for sending unsolicited mail there will be the only one solution for you - disable NDR to stop this madness.

It would not be correct to say that Microsoft does not have a solution for this issue whatsoever. You may refer to Q315631 — HOW TO: Forward Mail with Unresolved Recipients to a Single Mailbox. This method requires you to create additional virtual SMTP server, used to redirect all mail addressed to unresolved recipients, create an ActiveX component using Microsoft Visual Basic, that will modify the address in a message received and then return the message to main SMTP server.

The major drawback of this method, besides complexity of implementation, is about the fact that Exchange Server keeps receiving all messages. This results in unwanted traffic loss and unwanted server loads.

The optimum solution for such situation is to block all messages to non-existent addresses on SMTP protocol level. In such case, NDR will be generated for sender by sender's SMTP server, which is actually a common practice.

Mail Storage Guard offers both methods of protection from NDR-attack. It can either redirect all mail with unresolved recipient to given mailbox or refuse accepting mail on SMTP protocol level. Simply press the button once to switch protection mode of Mail Storage Guard: refuse accepting mail to unresolved addresses during attack or send it to administrator account so that he could redirect it to correct address manually.

Mail Storage Guard checks address for existence using both Active Directory and simple text file list, which allows using it both with Microsoft Exchange Server and with Windows SMTP, when it is used as a front end to another mail server.

For detailed description of Mail Storage Guard features see the product description page.

Learn more:

• PC World: Could You Be Sending Spam?
• Q324021 HOW TO: Create a "Catchall" Mailbox Sink for Exchange 2000.
• Q304897 XIMS: Microsoft SMTP Servers May Seem to Accept and Relay E-Mail Messages in Third-Party Tests
• Q315631 HOW TO: Forward Mail with Unresolved Recipients to a Single Mailbox
• Mail Storage Guard: Product overview.