The Computer Vet Weblog

One nasty form of spamming that’s being used more and more is the Reverse NDR attack. This is where a spammer is able to use your e-mail server as a relay even though you’ve got all the relays closed. How it works is: The spammer sends a message to a bogus user at your domain. They spoof the From: line with the address of the actual recipient. Your server sees the bogus address, and sends an NDR back to the sender. But, in this case, the sender is the actual recipient, and they end up getting an NDR, from you, with the spammer’s message attached.

Through this forum thread I found an entry in GFI’s knowledge base that tells how to disable this kind of attack in Windows. You need to have Exchange 2003, and there’s a way to have the server only accept messages addressed to an existing user in the Active Directory. Any mail sent to a bogus address gets a 550 error and doesn’t generate an NDR. I’ll reprint the directions here:

Accepting emails only for valid email addresses in your domain can only be done if you are using Exchange 2003. Previous versions of Exchange server did not have this functionality.

Please follow this procedure to enable Exchange server 2003 to allow emails only for valid recipients:

A. Enable filtering for recipients which are not found in Active Directory.

1. Open Exchange System Manager -> Global Settings -> right-click on Message Delivery and choose Properties.
2. Change to the “Recipient Filtering” tab
3. Enable the option “Filter recipients who are not in the Directory”
4. Click OK to close the window and save your changes.

B. Enable the recipient filter on the SMTP Virtual Server. This will only need to be enabled on the SMTP virtual server that is receiving emails from the internet.

1. Open Exchange System Manager -> Administrative Groups -> Administrative Group Name -> Servers -> Protocols -> SMTP.
2. Right-click on the SMTP Virtual Server and select Properties
3. On the “General” tab click the “Advanced…” button
4. Choose the IP binding that that is listening on the Internet. Click the “Edit…” button.
5. Enable the option “Apply Recipient Filter”
6. Click OK through all the windows to save your changes.

When someone tries to send an email to a user that does not exist in your Active Directory domain, they will receive the error:
550 5.5.1 User unknown

The email is not received by Exchange server, since the error is given during the SMTP transmission.

NOTES:

1. Enabling Exchange server to refuse connections for emails that are destined to not existing email addresses can allow spammers to build a list of valid email addresses in your domain.
2. Recently spammers have been trying to send emails to invalid email address. These will result in an NDR, however since the FROM email address of the original email would be the spammers target, the NDR would be sent to the spammers target. Enabling the above setting will help decrease these emails.

This will save your Exchange Server from being used as a relay, at least until they come up with another new technique that needs to be worked around.