Q
Manage Learn to apply best practices and optimize your operations.

How to determine if you're the target of a 'reverse NDR attack'

SearchExchange.com expert Bharat Suneja outlines the symptoms of a 'reverse NDR attack' and provides instructions on how to clean up your Exchange queues if your server's been targeted.

My ISP called to report spamming issues associated with Microsoft Exchange on my Windows Small Business Server 2003. It appears that non-delivery reports (NDRs) are being sent from the postmaster. I have looked for hours, but I can't figure out how to turn this off. What else could it be?
VIEW MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A.

Most likely your server has been the target of a 'Reverse NDR attack.' Here are some symptoms of this type of attack:

  • Your Exchange Server queues have many messages waiting to be delivered to external recipients.
  • Your ISP notified you that your server is sending UCE (a.k.a. spam).
  • Store.exe and Inetinfo.exe use a lot of CPU cycles.
  • The Badmail folder -- located in exchsrvrmailrootvsi 1 -- fills up fast and the drive could potentially run out of space.
  • If you stop the SMTP service, your server returns to normal performance levels.
If most of the messages in your queues are from postmaster@yourdomain.com, you should configure Recipient Filtering on your server.

Please refer to the Microsoft Knowledge Base article 886208 to get detailed instructions on how to configure Recipient Filtering and clean up your queues.


MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A:

Not so fast. If you do this, spam will use directory harvesting on your server and may make things worse.

I would turn off non-delivery reports (NDRs) for messages that do not have a valid recipient. and just keep an eye out for misspelled email in the admin mailbox.
—Sam C.


Do you have comments on this Ask the Expert Q&A? Let us know.

Related information from SearchExchange.com:

  • Tip: Should you turn off your network's outbound SMTP (port 25)?
  • Tip: Excessive Exchange Server NDRs destroy DNS
  • On-Demand Webcast: Locking down Exchange Server
  • Learning Guide: How to fight spam on Exchange Server
  • Reference Center: Non-Delivery Report tips and resources
  • Dig Deeper on Exchange Server setup and troubleshooting

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.

    -ADS BY GOOGLE

    SearchServerVirtualization

    SearchCloudComputing

    SearchSQLServer

    SearchEnterpriseDesktop

    SearchVirtualDesktop

    Close