I will first of all admit to not being the biggest Exchange expert on the
block so
if I'm wrong I apologize.
In Exchange 5.5 (which we use) you can turn off NDR reports. In fact, under
the CONNECTIONS and then the Internet Mail Service there's a tab labelled
Internet Mail.
Under that is a button labelled Notifications which appears to allow an
administrator to designate when NDRs should be generated. There are five
options:
- invalid address
- Multiple matches for email address
- Destination host not found
- Protocol error occurred
- Message timeout exceeded.
Is this not the case Exchange 2000 and 2003?
Just as an FYI (if pertinent) our emails all go through a security firm that
has their email servers spread out geographically across the US which filter
and monitor email. Those emails come through our router, hit their
firewall/DMZ located on our site and from there it goes to our internal
Exchange server. While we still use ScanMail on our Exchange server it's
number of positive hits have fallen off dramatically (maybe one a month at
most) after we started using this third party.
If a internal user sends an email outside of our network (to the Internet)
if goes from the internal server and is forwarded to the firewall which then
passes it onto the internet. Which means (if I have the terminology
correct), the firewall is a relay for our internal mailbox.
-Jamie
North Dallas Bank
-----Original Message-----
From: Thor [mailto:thor (at) hammerofgod (dot) com [email concealed]]
Sent: Friday, November 14, 2003 10:32 AM
To: Tom Burns; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: Exchange question :VSMail mx4
>One thing that was brought up is that NDR's can be used to relay (the
>spammer uses NDR's to forward the message content by using the mail
>from: email (at) address (dot) com [email concealed]) I think that we will be seeing more of this
>type of relaying going on- it sends a message back to the address in the
>from block.
>
>Anyone setup a double SMTP setup in there network? Ie. exchange only
>receives messages from the 2nd SMTP that is out on the net and the 2nd
>server relays the message internally from the outside?
I've got a similar setup to what you describe above (with ISA and SMTP
filtering thrown in the mix) but that won't keep the NDR's from being sent
back. Unless I miss something in your setup... One would basically use
smart host delivery for all mail, or depending on the gateway features, DNS
for some domains and smarthost for others, but the NDR would go out unless
you have an option not to send one.
For exchange, you can turn this off by going into SysMan, Global Settings,
Internet Message Formats, select the properties of the default rule, and
clear "allow non-delivery reports."
NDR's had a place, but these days, I really question their effectiveness any
more. Most don't resolve to a valid email (spam) and even in the case of a
spammer using the NDR to deliver the message, the email body is in the form
of an EML attachment, which would have to be manually opened. I just turn
it off when I can.
That being said, I have not seen a way to turn off NDR's altogether via the
standard IIS SMTP service. If anyone has a reg hack for that, it would be
great. Since Win2k3 now has a pop3 service (a bit ghetto, but quite
functional) it is easy to set up and configure a pretty cool mail solution
right out of the box. however, one is only using the SMTP service, and you
just can't turn NDR's off (that I know of.)
t
------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---
block so
if I'm wrong I apologize.
In Exchange 5.5 (which we use) you can turn off NDR reports. In fact, under
the CONNECTIONS and then the Internet Mail Service there's a tab labelled
Internet Mail.
Under that is a button labelled Notifications which appears to allow an
administrator to designate when NDRs should be generated. There are five
options:
- invalid address
- Multiple matches for email address
- Destination host not found
- Protocol error occurred
- Message timeout exceeded.
Is this not the case Exchange 2000 and 2003?
Just as an FYI (if pertinent) our emails all go through a security firm that
has their email servers spread out geographically across the US which filter
and monitor email. Those emails come through our router, hit their
firewall/DMZ located on our site and from there it goes to our internal
Exchange server. While we still use ScanMail on our Exchange server it's
number of positive hits have fallen off dramatically (maybe one a month at
most) after we started using this third party.
If a internal user sends an email outside of our network (to the Internet)
if goes from the internal server and is forwarded to the firewall which then
passes it onto the internet. Which means (if I have the terminology
correct), the firewall is a relay for our internal mailbox.
-Jamie
North Dallas Bank
-----Original Message-----
From: Thor [mailto:thor (at) hammerofgod (dot) com [email concealed]]
Sent: Friday, November 14, 2003 10:32 AM
To: Tom Burns; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: Exchange question :VSMail mx4
>One thing that was brought up is that NDR's can be used to relay (the
>spammer uses NDR's to forward the message content by using the mail
>from: email (at) address (dot) com [email concealed]) I think that we will be seeing more of this
>type of relaying going on- it sends a message back to the address in the
>from block.
>
>Anyone setup a double SMTP setup in there network? Ie. exchange only
>receives messages from the 2nd SMTP that is out on the net and the 2nd
>server relays the message internally from the outside?
I've got a similar setup to what you describe above (with ISA and SMTP
filtering thrown in the mix) but that won't keep the NDR's from being sent
back. Unless I miss something in your setup... One would basically use
smart host delivery for all mail, or depending on the gateway features, DNS
for some domains and smarthost for others, but the NDR would go out unless
you have an option not to send one.
For exchange, you can turn this off by going into SysMan, Global Settings,
Internet Message Formats, select the properties of the default rule, and
clear "allow non-delivery reports."
NDR's had a place, but these days, I really question their effectiveness any
more. Most don't resolve to a valid email (spam) and even in the case of a
spammer using the NDR to deliver the message, the email body is in the form
of an EML attachment, which would have to be manually opened. I just turn
it off when I can.
That being said, I have not seen a way to turn off NDR's altogether via the
standard IIS SMTP service. If anyone has a reg hack for that, it would be
great. Since Win2k3 now has a pop3 service (a bit ghetto, but quite
functional) it is easy to set up and configure a pretty cool mail solution
right out of the box. however, one is only using the SMTP service, and you
just can't turn NDR's off (that I know of.)
t
------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---
[ reply ]