Microsoft KB Archive/909005

= In Exchange Server 2003 or in Exchange 2000 Server, the Exchange Server queues are filled with many non-delivery reports from the postmaster account because of a reverse non-delivery report attack =

Article ID: 909005

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange 2000 Enterprise Server
 * Microsoft Exchange 2000 Server Standard Edition

-





SYMPTOMS
On a server that is running Microsoft Exchange Server 2003 or Microsoft Exchange 2000 Server, you experience one or more of the following symptoms:  The Microsoft Exchange Server queues contain many outgoing messages that are waiting to be delivered to external addresses. In this scenario, each of these e-mail messages has .com in the From field. Your Internet service provider (ISP) notifies you that the Exchange Server server is delivering unsolicited commercial e-mail (UCE). UCE is also known as spam. When you visit the Internet from the Exchange Server server or from a computer that is on the local area network (LAN), Internet access is very slow. The Store.exe process and the Inetinfo.exe process use lots of CPU time and lots of available memory. If you stop the Simple Mail Transfer Protocol (SMTP) service, Internet access times are faster. Additionally, the Store.exe process and the Inetinfo.exe process return to their typical levels of CPU usage and memory usage. The drive that contains the BadMail folder runs out of space. By default, the BadMail folder is located in the following folder.

For Exchange Server 2003

C:\InetPub\Mailroot\

For Exchange 2000 Server

C:\Program Files\Exchsrvr\Mailroot\vsi 1



<div class="cause_section">

CAUSE
This issue occurs if the server is the target of a reverse non-delivery report (NDR) attack.

<div class="resolution_section">

RESOLUTION
To resolve this issue, create a recipient filter to prevent Exchange Server from accepting messages that are sent to recipients who do not exist. To do this, follow these steps.

Step 1: Determine whether the messages in the queues are NDR messages

 * 1) Start Exchange System Manager.
 * 2) Expand Servers, expand the Exchange Server server, and then click Queues.
 * 3) In the right pane, click a queue that contains many messages, click Find messages, and then click Find Now.
 * 4) View the Sender field of the returned items. If the sender of the message is  .com, the message is an NDR message. Double-click the message to view the external recipient of this message.

Follow steps 3 through 4 to view the messages in other SMTP queues. If most of the messages are from .com, you may be experiencing a reverse NDR attack. If most of these messages are not from .com, the computer may be configured as an SMTP open relay. Or, the computer may be the target of an authenticated relay attack. For more information about how to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:

895853 How to troubleshoot mail relay issues in Exchange Server 2003 and in Exchange 2000 Server

If the computer is configured as an open SMTP relay, or if the computer is the target of an authenticated relay attack, you do not have to continue to the &quot;Step 2: Configure recipient filtering in Exchange Server 2003&quot; section. However, if the computer is the target of a reverse NDR attack, create a recipient filter to prevent the Exchange Server 2003 server from accepting messages that are sent to recipients who do not exist. To do this, continue to the &quot;Step 2: Configure recipient filtering in Exchange Server 2003&quot; section.

Step 2: Configure recipient filtering in Exchange Server 2003
In the default Exchange Server configuration, e-mail that is sent to .com is accepted as local regardless of the e-mail alias to which the message is addressed. The e-mail alias is the part of the e-mail address that is on the left side of the @ (at sign). If an e-mail message is sent to an alias that is not valid, the SMTP service receives the whole message. Then, the SMTP service queries the Active Directory directory service for a user or distribution group that has a matching e-mail alias. For example, if an e-mail message is sent to .com, the SMTP service queries Active Directory for a user or distribution group that has the  .com alias. However, if the e-mail alias does not exist, Exchange Server tries to send an NDR to the original e-mail message sender. This can cause many messages, queues, or both to appear in Exchange System Manager.

After you enable recipient filtering, Exchange Server validates the e-mail address before Exchange Server accepts the e-mail message. In this scenario, if no match for this e-mail alias appears in Active Directory, an NDR is still generated. However, in this scenario, it is the responsibility of the sending SMTP server instead of the Exchange Server server to generate and to deliver the NDR.

Note Recipient filtering is only available in Exchange Server 2003. <ol> Start Exchange System Manager.</li> Expand Global Settings, right-click Message Delivery, and then click Properties.</li> Click the Recipient Filtering tab, click to select the Filter recipients who are not in the Directory check box, and then click OK.</li> When you receive the following message, click OK:

Connection, Recipient, and Sender Filtering must manually be enabled on specific SMTP virtual server IP address assignments as they are not enabled by default. For more information about how to enable any one or more of these filtering types, read their associated help.

</li> Expand Servers, expand the Exchange Server server, expand Protocols, expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.</li> On the General tab, click Advanced.</li> Click Edit, click to select the Apply Recipient Filter check box, and then click OK three times.</li></ol>

Note If you are running Exchange Server in a front-end/back-end environment, recipient filtering must be enabled on the SMTP bridgehead server or servers.

After you enable recipient filtering, a certain technique may be used against the Exchange Server server to gather information about the valid e-mail addresses in your organization. This technique is known as a Directory Harvest Attack. For more information about how to help prevent this kind of attack, click the following article number to view the article in the Microsoft Knowledge Base:

842851 SMTP tar pit feature for Microsoft Windows Server 2003

Step 3: Clean up the Exchange Server queues
Remove the UCE from the SMTP queues on the computer. To do this, follow these steps.

Warning During this process, all messages that are destined for external SMTP recipients are deleted. Internal e-mail messages and incoming e-mail messages from the Internet are not affected. These settings are temporary. The typical mail flow is restored after the Exchange Server SMTP queues are cleaned up.

<ol> Start the Server Management tool.</li> Expand Advanced Management, expand the Exchange organization, and then click Connectors.

Note This procedure requires an SMTP connector.</li> Use one of the following methods:  If the Exchange Server server does not have an SMTP connector, you must create one. To create an SMTP connector, follow these steps: <ol style="list-style-type: lower-alpha;"> Right-click Connectors, point to New, and then click SMTP Connector.</li> In the Name box, type temporary smtp connector .</li> Click Add, click the Exchange Server server in the Server list, and then click OK.</li> Click the Address Space tab, and then click Add.</li> <li>Click SMTP, click OK, leave the asterisk in the E-mail domain box, and then click OK.</li> <li>Click the General tab.</li></ol> </li> <li>If the Exchange Server server has an SMTP connector, you must modify the connector. To modify this connector, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Right-click this connector, and then click Properties.

Note If you have more than one SMTP connector, work with the one that contains an asterisk in the SMTP address space on the Address Space tab.</li> <li>Click the General tab, and then note all the settings that are listed on this tab. You must restore these settings after you clean out the Exchange Server queues.</li></ol> </li></ul> </li> <li>Click Forward all mail through this connector to the following smart hosts, type an IP address that is not valid, and then enclose it in square brackets. For example, type [99.99.99.99] .</li> <li>Click the Delivery Options tab, and then click Specify when messages are sent through this connector.</li> <li>In the Connection time list, click Run daily at 11:00 PM, and then click OK.</li> <li>In the left pane of the Server Management tool, expand Servers, expand the Exchange Server server, expand Protocols, expand SMTP, right-click Default SMTP Virtual Server, and then click Stop.</li> <li>When the default SMTP virtual server has successfully stopped, right-click Default SMTP Virtual Server, and then click Start.</li> <li>After the default SMTP virtual server has successfully started, wait for about 10 minutes.

Note When you restart the default SMTP virtual server, it re-enumerates the e-mail messages and puts them in a single queue for the SMTP connector that you configured.</li> <li>In the left pane of the Server Management tool, expand Servers, expand the Exchange Server server, and then click Queues.</li> <li>Note the total number of messages that appear next to the SMTP connector that you configured. This number of messages must stabilize so that you can remove all the e-mail messages at the same time.</li> <li>Every 15 minutes, right-click Queues, and then click Refresh.</li> <li>Repeat step 12 until the number of messages in the SMTP connector queue remains constant.</li> <li>In the right pane, right-click the SMTP queue, and then click Find messages.</li> <li>In the Number of messages to be listed in the search list, click an appropriate number to let you remove all the messages at the same time. For example, if you have 900 messages that you want to remove, click 1000 in the Number of messages to be listed in the search list.</li> <li>Click Find Now.</li> <li>In the Search Results list, select all the messages. To do this, click a message, and then press SHIFT+PAGE DOWN.</li> <li>Right-click the selected messages, and then click Delete (no NDR).</li> <li>When you receive the following message, click Yes:

Are you sure you want to delete messages in the queue?

Note If you are removing many messages, the removal process may take a long time.</li> <li>After the messages are successfully removed, close the Find Messages  dialog box.</li> <li>Right-click Queues, and then click Refresh.</li> <li>Note the total number of messages that appear next to the SMTP connector that you configured. This number of messages must be zero.</li> <li>Repeat steps 21 and 22 about every 5 minutes to make sure that the SMTP queue remains at zero messages. If the number of messages in the SMTP queue increases, Exchange Server is still processing messages for external delivery. In this scenario, continue to update the display until the number of messages in the SMTP queue stabilizes.</li> <li>Repeat steps 14 through 23 until the number of messages in the SMTP queue remains at zero. In this scenario, the Exchange Server SMTP queues have been cleaned of all the UCE.</li></ol>

After you have cleaned the Exchange Server SMTP queues, restore the SMTP connector configuration to its original settings. If you created a temporary SMTP connector, remove it. To do this, follow these steps: <ol> <li>In the left pane of the Server Management tool, expand Connectors, right-click temporary smtp connector, and then click Delete.</li> <li>When you receive the following message, click Yes:

Are you sure you want to delete 'temporary smtp connector'?

</li></ol>

Note After you modify or remove the SMTP connector, you must restart the SMTP virtual server. For more information about how to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:

895853 How to troubleshoot mail relay issues in Exchange Server 2003 and in Exchange 2000 Server

<div class="moreinformation_section">

MORE INFORMATION
People who send UCE to e-mail recipients have discovered a method to work around the e-mail filters that are built into many e-mail messaging systems. In this scenario, the people who send UCE try to take advantage of the delivery status notification functionality in the e-mail server. In a typical e-mail messaging system, an NDR delivery status notification message is generated when an e-mail message cannot be delivered. Additionally, this NDR message typically contains the content of the undeliverable message. This behavior follows the Request for Comments (RFC) standards. Therefore, most messaging systems behave in this manner.

The person who sends UCE uses this NDR message to deliver UCE. This kind of UCE delivery is known as a reverse NDR attack. This kind of UCE delivery works in the following way:
 * 1) Unsolicited commercial e-mail is created by using the destination recipient's e-mail address in the Sender field of that e-mail message.
 * 2) A fictitious user name together with your domain name is added as the recipient of this e-mail message.
 * 3) This unsolicited commercial e-mail message is sent to your domain.
 * 4) Your e-mail server accepts this message because the message is sent to your domain.
 * 5) Your e-mail server cannot deliver this message because the recipient does not exist.
 * 6) Your e-mail server sends an NDR to the person who appears as the sender of this message. In this scenario, the person who appears as the message sender is the external recipient that receives the NDR from the postmaster account. The person who sends the UCE puts the intended recipient of the UCE in the Sender field of the message. Therefore, the intended recipient receives the NDR from the postmaster account in your e-mail domain.
 * 7) The NDR is sent to the external e-mail address from the postmaster address of your domain. This NDR may contain the original UCE message.
 * 8) The unsuspecting user might read this NDR together with the UCE message. Therefore, the UCE message has been delivered successfully to the external recipient who is listed in the Sender field of the original e-mail message.

For more information about related topics, click the following article number to view the article in the Microsoft Knowledge Base:

823866 How to configure connection filtering to use Realtime Block Lists (RBLs) and how to configure recipient filtering in Exchange 2003

Keywords: KB909005

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.