NDR's and Virus's

I recieved a e-mail from my T-1 provider stating "A host (my domain ip) 
within your IP block appears to be the source of an email containing the 
virus: 
Worm.Sober.U.  

The email address listed in the from field in messages sent by most viruses 
is generally spoofed.  Please ensure that your mail server is not sending a 
virus notification or NDR (non delivery report) to this address as these 
methods can be used directly or indirectly to propagate email viruses."

I have determined that it is indeed a NDR report being generated causing the 
issue.  I also notice that when I do a scan of my Exchange server, in the 
"D:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue" folder there are messages 
that are infected that are not being deleted before going out (the NDR 
message to be exact).  As a result I set Sender ID filtering to delete and 
set the SMTP Virtual Server to use it.  Now my question is, will this stop 
the NDR messages or is there more I have to do?

From what I can tell a infected message is sent to a non-exisistent user on 
my domain, so a NDR is generated with the original message attached, replying 
to the sender (probably spoofed)telling them it was undeliverable.  

Have I done the right thing? Enough?
0
Ed4190 (308)
12/2/2005 7:33:06 PM
exchange.admin 57650 articles. 1 followers. Follow

2 Replies
526 Views

Similar Articles

[PageSpeed] 53

    Actually this will probably not help you much.  Your SenderID 
configuration will only help if the domain that sends you the message 
provides a SPF record.  What you could do is configure Exchange to not 
accept messages unless the account actually exists.  This is a little 
different from a normal configuration as Exchange would accept all messages 
destined for your mail domain.  Once Exchange accepts a message it will then 
attempt to find the mail account to deliver the message to.  If Exchange is 
unable to find a mail account it will generate a NDR.  Exchange gives you 
two configuration options for changing this behavior.  The first and 
simplest approach is to simply prevent Exchange from sending NDR's.  This is 
not a very good solution as a legitimate e-mail that is incorrectly 
addressed will not provide any feedback to the person that sent the message. 
The second option is to configure Exchange to check e-mail accounts when 
another mail server is attempting to send the message.  Exchange can be 
configured to do a lookup as soon as another mail server connects.  Instead 
of Exchange blindly accepting all messages for your domain it will check to 
see if the e-mail address actually exists.  If the account does exist 
Exchange will accept the message and everything in the transaction will 
continue normally.  If the account does not exist Exchange will immediately 
respond with a "550 5.1.1 User unknown" response.  This will provide 
immediate feedback to the sender that the e-mail account does not exist and 
Exchange will never bring the message in.  This should basically prevent 
your mail server from ever needing to send a NDR while still providing 
feedback to real users.  Take a look at the following couple of articles as 
they explain configuration pretty well.

Sean

How to configure connection filtering to use Realtime Block Lists (RBLs) and 
how to configure recipient filtering in Exchange 2003
http://support.microsoft.com/kb/823866/
SMTP tar pit feature for Microsoft Windows Server 2003
http://support.microsoft.com/?kbid=842851

"ed" <ed@discussions.microsoft.com> wrote in message 
news:3F9452CC-784B-42B0-9067-930AF529F85B@microsoft.com...
>I recieved a e-mail from my T-1 provider stating "A host (my domain ip)
> within your IP block appears to be the source of an email containing the
> virus:
> Worm.Sober.U.
>
> The email address listed in the from field in messages sent by most 
> viruses
> is generally spoofed.  Please ensure that your mail server is not sending 
> a
> virus notification or NDR (non delivery report) to this address as these
> methods can be used directly or indirectly to propagate email viruses."
>
> I have determined that it is indeed a NDR report being generated causing 
> the
> issue.  I also notice that when I do a scan of my Exchange server, in the
> "D:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue" folder there are messages
> that are infected that are not being deleted before going out (the NDR
> message to be exact).  As a result I set Sender ID filtering to delete and
> set the SMTP Virtual Server to use it.  Now my question is, will this stop
> the NDR messages or is there more I have to do?
>
> From what I can tell a infected message is sent to a non-exisistent user 
> on
> my domain, so a NDR is generated with the original message attached, 
> replying
> to the sender (probably spoofed)telling them it was undeliverable.
>
> Have I done the right thing? Enough? 


0
Sean
12/2/2005 9:07:15 PM
"ed" <ed@discussions.microsoft.com> wrote:

					[ snip ]

>message to be exact).  As a result I set Sender ID filtering to delete and 
>set the SMTP Virtual Server to use it.  Now my question is, will this stop 
>the NDR messages or is there more I have to do?

No, it won't. NDR's are sent becasue yu've accepted a message you
cannot deliver. The way to stop this is to stop accepting messages for
addresses that don't exist in your directory.

>From what I can tell a infected message is sent to a non-exisistent user on 
>my domain, so a NDR is generated with the original message attached, replying 
>to the sender (probably spoofed)telling them it was undeliverable.  
>
>Have I done the right thing? 

Yes, but not for this problem! :)

>Enough?

No. Enable "Recipient Filtering" and check the box that says not to
accept messages for addresses that don't exist in your directory.

The only NDR's you'll send after that are for messages that are too
large for an individual mailbox, for full mailboxes, etc.


-- 
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@getronics.com
Or to these, either: mailto:h.pott@pinkroccade.com mailto:melvin.mcphucknuckle@getronics.com mailto:melvin.mcphucknuckle@pinkroccade.com
0
richnews (7316)
12/3/2005 3:49:49 PM
Reply:

Similar Artilces:

Stopping NDR's
Is there away to stop NDR's for users that no longer exist in Exchange 2000, and also keep the "Bad Mail" folder from filling up? Thanks Brad Create an Emtpy Distribution List with no members. Add the ex-employee email address to the DL list. They will simply disappear. For the Bad Mail, you can write a simple batch file to purge or delete the folder. -- John Oliver, Jr. MCSE, MCT, CCNA, Exchange MVP Microsoft Certified Partner "Brad" <anonymous@discussions.microsoft.com> wrote in message news:057a01c3d3e0$48730b60$a101280a@phx.gbl... > Is there away ...

receiving virus messages on word 2004 for mac documents in Entourage
The virus Exploit-1Table was found in eHGT_transplant ad.doc. The attachment eHGT_transplant ad.doc was removed. anyone have any ideas. i've already contacted apple with no luck. In article <1190128669.393643.134830@i38g2000prf.googlegroups.com>, "weil052061@gmail.com" <jweil@ehgt.com> wrote: > The virus Exploit-1Table was found in eHGT_transplant ad.doc. > The attachment eHGT_transplant ad.doc was removed. > > anyone have any ideas. i've already contacted apple with no luck. What ideas are you looking for? You apparently were sent a Word docu...

NDR ?
I get one of the following messages whenever I try to send messages to certain recipients: The following recipient(s) could not be reached: 'betsy@xyz.com' on 4/12/04 9:39 AM The recipient name is not recognized The MTS-ID of the original message is: c=US;a=PRIMARY;p=ELLIST;l=HERAD-040412133844Z-433 ------------------------------------------------- The following recipient(s) could not be reached: 'adam@abc.com' on 3/25/2004 1:53 PM Unable to deliver the message due to a communications failure The MTS-ID of the original message is: c=US;a=PRIMARY;p=ELLIST;l=HERAD-040325185233...

Cannot open original message in NDR
Hello, When I receive a NDR I cannot open the original message in Outlook 2003. When I use Outlook Express I can open and view the original message. What do I have to do to see the original message in Outlook 2003? Kind regards: Emiel Kempen. what's NDR? nntp://msnews.microsoft.com/microsoft.public.outlook/<OcPrtbI0EHA.1392@TK2MSFTNGP14.phx.gbl> Hello, When I receive a NDR I cannot open the original message in Outlook 2003. When I use Outlook Express I can open and view the original message. What do I have to do to see the original message in Outlook 2003? ...

NDR
Have a remote user who connects to LAN via VPN, using XP professional and Office XP small business. Email worked fine yesterday but now user cannot send mail, gets following error message: Your message did not reach some or all of the intended recipients. Subject: RE: test Sent: 10/16/2003 11:44 AM The following recipient(s) could not be reached: recipients name on 10/16/2003 11:44 AM None of your e-mail accounts could send to this recipient. User can receive email without any problems. I cannot find this in the knowledge base so any help would be g...

Unique user reports people are getting NDR's when sending him messages within my organization
Strange behavior. About 5 users report that sending messages to "Smith, John" (a valid user in my organization) returns an NDR. I attempted to send message to "Smith, John" and it works fine. I noticed that users who complain messages are failing are housed in the same Mailbox Store, Storage and Exchange server than John, Smith. I attempted to track message below using Messaging Tracking center but no results were returned. Please advise how can I troubleshoot this ? What this error could be ? From: System Administrator Sent: Monday, November 07, 2005 7:28 AM T...

NDR's and Virus's
I recieved a e-mail from my T-1 provider stating "A host (my domain ip) within your IP block appears to be the source of an email containing the virus: Worm.Sober.U. The email address listed in the from field in messages sent by most viruses is generally spoofed. Please ensure that your mail server is not sending a virus notification or NDR (non delivery report) to this address as these methods can be used directly or indirectly to propagate email viruses." I have determined that it is indeed a NDR report being generated causing the issue. I also notice that when I do a ...

OOO and NDR Security Risk Solutions
Hi, I'd like to enable NDRs and external OOO messages, which have been disabled by the previous IT Manager, but I am aware of the potential security risks. Can someone please recommend security tools which help prevent some of these risks? Thanks, Matt I know that guns kill people. Can someone recommend a gun that doesn't kill people as much? -- Ed Crowley MVP - Exchange "Protecting the world from PSTs and brick backups!" <mlaufer@srg.com> wrote in message news:1160520993.355412.165180@b28g2000cwb.googlegroups.com... > Hi, > > I'd like to enable N...

NDR #6
Hi I get the follwoing message Your message did not reach some or all of the intended recipients. Subject: test Sent: 26/10/2004 08:27 The following recipient(s) could not be reached: Wright, Doug . on 26/10/2004 08:27 A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients. Contact your administrator. <server.domain.com #5.4.6> I have the ADC in place I only get this message when sending to the this exchange 5.5 site from 2003 server the connector shows no e...

E2k3 NDR's
Hi folks, This is a silly one I know, but is there a way of collecting alls messages for domain to one mailbox without sending an NDR where the name came not be found. IE user John@123.com will receive mail direct to John, but Daivd will receive all other mail to @123.com without entering all the different names. Want I want is a catch all. Thanks in advance Stephen Why dont you try the "forward all unresolved" recipients to host on the SMTP virtual server. If you use a windows 2000 SMTP service as the forwarding server, the messages can go into the DROP directory. "...

NDR
I'm getting a NDR on my E2003 server with the following error in it: #5.5.0 smtp error 552 recipient counts exceeds maximum I'm not able to find anything about the error message and I'm wondering what it means and what to do about it. Regards, Rob ...

Removing d-xdiag10bc virus
Hi Does anyone know how to remove d-xdiag10bc.exe virus? I have tried Malware Bytes, Combofix, SmithFraudFix and what not. Thanks Regards NB: If you had no anti-virus application installed or the subscription had expired *when the machine first got infected* and/or your subscription has since expired and/or the machine's not been kept fully-patched at Windows Update, don't waste your time with any of the below: Format & reinstall Windows. A Repair Install will NOT help! Microsoft PCSafety provides home users (only) with no-charge support in dealing w...

NDR #2
how does one change permission on the system 32 directory from everyone read to everyone change ...

Exchange 2000 modifies NDR's from outside
Hello, whenever a NDR generated by remote servers comes to our exchange server, exchange modifies the NDR, including attached message. As a result, we can't safely detect where the problem started and what server generated the NDR. Is there any possibility to set up exchange not to modify the NDR, and to show it exactly as it came in? (except Received: headers, which of course should be added). Thank you. -- Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT a...

NDR return with attachment
I have exchange 2000 on windows 2000 with sigle domain, when our users send a mail with file attachment to external users and by mistacke they make typo mistake in email address then they will received NDR mail with same attachment. Can it be configurable in exchane 2000 that users received NDR but without attachment Nagori ...

NDR: 552
HI Everyone, One of my exchange 2003 users receive this error when they try sending mail to a particular domain. the error is: The following recipient(s) could not be reached: someone@somewhere on 10/07/2006 9:48 AM There was a SMTP communication problem with the recipient's email server. Please contact your system administrator. <isdex001.intra.swsahs.nsw.gov.au #5.5.0 smtp;552 imsss01.intra.swsahs.nsw.gov.au: your "received:" header counts of 21 exceeds maximum setting 20> Any ideas as to why we receive this error i am kind apretty su...

how find email sender? (virus notification message)
Hello, We are having virus notification message sent to a whole list of people at the same domain ... I get a notificaiton of this from administrator@ etc and can get some details from Exchange (2000) but cannot see hwo to find out who is actually sending the email itself. How do I do this? By the way Exchange seems to be correctly configured to not allow relaying. Cheers Geoff On Mon, 09 May 2005 08:01:17 +0100, Geoff Cox <> wrote: More info re this problem - 1. At home, I get lots of emails from MDaemon@abc.co.uk (which have been sent to adminstrator@ourdomain.com and forwarde...

Outlook NDR 5.1.0
I have a newly migration exchange 2003 sp2 on windows 2003 r2 DC - it's a GC and has Symantec Mail Security for MS Exchange and GFI Antispam. Have another windows 2003 r2 server that is also a GC. When I send emails to a group of 16 or more users (eg. a mailing list of most of our staff of 40) AND some of the users have a inbound delivery restriction to receive mail from a specific query distribution group I get an undeliverable with a 5.1.0 - Event ID 3009, MSExchangeTransport, Cause: This is categorizer failure caused by a bad address. Solution: Either the recipient address is...

NDR Report
We get this NDR error when someone sends to a particular address: 550 Only 1 recipients accepted with null sender address Again, the emails are sent using Outlook to a listing in our GAL for the Custom Recipient. I have checked the outgoing messages and they do contain a sender address. Any ideas? Thanks. BSchmidt Have you contacted the recipient's admin folk on this? BSchmidt wrote: > We get this NDR error when someone sends to a particular address: > > 550 Only 1 recipients accepted with null sender address > > Again, the emails are sent using Out...

Stopping NDR's #2
How does one go about configuring Exchange to NOT generate NDR's for incoming mail, but still let my internal users know that our server failed to deliver an email? Example - an internal network user sends an email to a good address, but for whatever reason exchange does not deliver it within the specified time frame I set in exchange. An NDR should be generated and delivered to my user. However, if an email comes INTO my network with a bad email address for a network user, I want NO NDR to be generated, so that spammers cannot hammer my server and learn correct email addresses. ...

NDR ??????????
Hi everyone, I was wondering , if there is a way I can stop NDR to senders and still have copies of NDRs sent to a mailbox within same exchange organization ? I looked all KB but couldn't find a way to do this. I'm running Exchange 2k-SP3. Any help or direction in this regards will be greatly appreciated, Regards Sameer ...

NDR #4
I am administering an Exchange 2003 server and two users from the same company are trying trying to email me. One user can send email to me without any problems while the other one is getting an NDR, for example, your message did not reach some or all of the intended recipients, 550 5.1.1 <bodo@mydomain.com>... User unknown. I was told that they are using Outlook and i assume that means they are using Exchange server. I had the user delete his contacts and just reply to an email or create a new email. He even try to send a new email for an account that he didn't have a conta...

"Virus scanner has detected problem with the file"
I recently downloaded Office 2003 from a CD-Rom that Microsoft sent me after signing up at a conference. I previoulsy had Office installed on my laptop, and had saved many Excel files. However, now that I have downloaded this new version of Excel 2003, I can no longer access my old Excel files. When I try to open these older files, I receive the error message "The file cannot be opened because your virus scanner has detected a problem with the file." I do have Norton Internet Security installed, but I cannot figure out if that is the problem, or if the Excel 2003 has prevented older...

We stopped getting any NDR's
Had a Exchange 5.5 Server running. Added a second server running Exchange 2K3. After doing migration, we switched over to the Exchange 2K3 Server. For a whil now we are not getting any Non-Delivery Reports. No matter if you email a bogus address, you will not get the NDR at all. Under my Global Settings > Internet Message Format > Default > Properties, we are setup to allow non-delivery reports. Any help will be greatly appriciated. Please email me, if possible. Thanks cisco Do you mean NDR to sender or NDR to local admin? Francisco Arredondo wrote: > Had a Exchange 5.5 ...

Calendar Invite generates NDR
I deleted Mary who was a delegate of Tom configured to receive copies of meeting related mail/calendar invites. Now that the assistant Mary is completely out of the system, whenever someone sends a calendar invite to Tom, it creates an NDR that Mary is no longer in the system (specifically the error is "The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.") I checked the delegate configuration for Tom but Mary is not listed in the delegate section. Anyone...