PDA

Click to See Complete Forum and Search --> : Blocking Msgs with Null Sender, Exch 5.5

JayDubb
09-18-2002, 08:38 PM
This week our server has been flooded with messages, to the point of crippling it. The flood has 2 characteristics.

1. Messages are being sent to every possible character combination
at our domain (aaa@domain, aab@domain, aac@domain, etc.) and
the server is accepting mail even for these bogus addresses.
With 8 char usernames, that is 26^8 address combinations per
domain-- a huge flood.

2. Each message is addressed with a null "<>" sender. When the server
realizes all these bogus recipients do not exist, it then tries to
bounce the message, which of course is impossible since there is
no From: address.

We're filtering several netblocks from the worst spammers at our router which has cut the flood significantly. However, there are still miscellaneous servers continuing the flood, and identifying them has proven to be difficult.

My questions:

1. Is there a way to prevent the server from accepting messages for users that do not exist? I thought this was supposed to be the default behavior, but ours is accepting all inbound mail for our domain, even if the user name is bogus-- i.e., accept it, then bounce it if the user does not exist.

2. Is there a way to completely reject incoming mail if the sender is null "<>"?

I'd be thankful for any good advice!
Andrew Hall
10-22-2002, 03:30 AM
Under routing in the imc make sure you have all mail routed to your domain as inbound and then under the routing restrictions button check the tick box to only allow e-mail from these ip address's. Then don't put any address in.

This stops the exchange server generating a NDR but does not stop the traffic attempting to connect to the smtp server.

Checkout these links below for more details.

http://www.slipstick.com/exs/relay.htm
http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=7696

------------
JayDubb at 9/18/2002 9:38:13 PM

This week our server has been flooded with messages, to the point of crippling it. The flood has 2 characteristics.

1. Messages are being sent to every possible character combination
at our domain (aaa@domain, aab@domain, aac@domain, etc.) and
the server is accepting mail even for these bogus addresses.
With 8 char usernames, that is 26^8 address combinations per
domain-- a huge flood.

2. Each message is addressed with a null "<>" sender. When the server
realizes all these bogus recipients do not exist, it then tries to
bounce the message, which of course is impossible since there is
no From: address.

We're filtering several netblocks from the worst spammers at our router which has cut the flood significantly. However, there are still miscellaneous servers continuing the flood, and identifying them has proven to be difficult.

My questions:

1. Is there a way to prevent the server from accepting messages for users that do not exist? I thought this was supposed to be the default behavior, but ours is accepting all inbound mail for our domain, even if the user name is bogus-- i.e., accept it, then bounce it if the user does not exist.

2. Is there a way to completely reject incoming mail if the sender is null "<>"?

I'd be thankful for any good advice!