NDR Spam and POSTINI how to

First of all, what is a NDR?

http://www.postini.com/webdocs/rel_notes/announce/bulletin_ndr.pdf

A non-delivery report or NDR is a message sent by the email server that informs the sender that the delivery of the email message failed.

While there are various events that can trigger an NDR, the most common cases are when the

recipient of the message does not exist or when the destination mailbox is full.

So if I sent a message to mikkkkkke@madtownengineer.com, from an external account, I get back a NDR.

In plain English, No user by that name, sorry, message returned.

Typically, the message is sent with the original message just below it, as if you were replying to a message….

What spammers do is this:
They spoof the FROM:, send a bunch of messages to your server to users that may or may not exist.

So what happens is, your server sees all these messages addressed to users that don’t exist.

Your server sends NDRs in response. The FROM: that was spoofed are valid email addresses.

Your server is sending “NDR spam”.

Spammers do this on purpose…. Your server sends these NDRs with the ORIGINAL message just below it.

It’s a cheap shot, I agree, but it’s a way to send spam.

Throw a thousand messages at youdonotexist@madtownengineer.com, each with a different FROM: addresss, and your server is sending tons of NDR spam.

Ohhh noooo….

What if the FROM: address is totally bogus, like ramdomly generated domains.

Your server will try to send NDRs to domains that have no MX (receiving mail servers) records.

This screenshot of the outbound queue viewer below is what you will see.

The FROM address of <> is the server way of saying it’s a NDR.

And you will see your server making some communication with odd domains

What can you do?

If your anti-spam device is an appliance, you can, if the appliance supports it, perform an LDAP lookup of the user.

So the appliance does an ldap lookup, if the user exists, then send it, if not, send an NDR or drop the message completely.

Microsoft says that you can install the Anti-spam agents on the exchange server.

This is normally found on the edge server, but can be installed on any HUB transport server.

Then enable the Recipient Filtering.

But I found that this still creates NDRs…. Not a bounce.

So that installation work was kinda worthless, but what the heck, now you know how to install the antispam piece on exchange.

And the verification comes when postini is done, and tries to deliver it to the exchange server.

Some NDRs are good, say you send accidently type the address incorrectly when you send a message, you want the server to notify you that “there’s no user here”.

In this case, the exchange server sends it from postmaster@, and it’s a 5.1.1, and the erros is Recipient not found.

So, it looks like this, and is generated at the Exchange server

If you have all your users setup in Postini, the aliases, and the groups that are allowed incoming from the internet, you can turn this setting on

“Non-Account Bouncing”

I like this better because it tells the sending server “no user found” and doesn’t even accept the message.

The details are seen here when you click on the “General Settings” icon

Then the bounce message looks like this, and is generated from the sending server, ours.

This prevents NDR spam.

This error occurs when PDS’s sending side tries to send mail to Postini (masters’s mx record).

During the smtp communication, the “no such user” occurs and the bounce occurs.

Notice that the response here is 5.0.0, not 5.1.1 as seen above

So to summarize, to reduce/eliminate NDR spam, have the first receiving device (the anti-spam appliance / service) verify the user exists before sending it onward.

That way, the receiving server can tell the sending server “no such user” and reject it at that point. The NDR is generated at the sending side.

Advertisements

About Mike

owner of blog
This entry was posted in Exchange. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s