Cry Exchange How To...
How to disable NDRs to prevent spam (RNDR)
When an email is sent to the Exchange server, if the recipient email address does not exist then a Non-Delivery Report (NDR) is generated by Exchange and sent to the sender. This behaviour is useful as it lets the sender know that their email has not been delivered.
Unfortunately some spammers can use this feature to use your server to send spam. The technique works by sending an email to your Exchange server for a bogus email address, but with the return address of the target the spammer wants to send their email to. The exchange server duly generates a NDR, and sends it to the return address - which is the address not of the spammer but the target the spammer wants to spam. The end result is that an unfortunate victim receives a NDR which when they open contains spam that your server has delivered on behalf of the spammer. A symptom of your server being used in this way is a large number of NDRs queued up for delivery. This spammer technique is known as Reverse NDR attack.
To avoid allowing your Exchange server to be taken advantage in this way by spammers, you can change the way Exchange processes emails. The out-of-the-box configuration for Exchange is for it to receive all emails, queue them for delivery and only when it fails to deliver an email does it generate an NDR. An alternative configuration forces Exchange to check the recipient email address when it first receives the email, returning an error to the sending server if the address is not recognised. Genuine senders will still receive an NDR but the responsibility for generating this shifts to the sending server. This configuration is known as "Recipient Filtering". To enable recipient filtering:
You should then be presented with a message box stating:
"Connection, Recipient, Sender ID, and Sender Filtering must manually be enabled on specific SMTP virtual server IP address assignments as they are not enabled by default ..."
The second part of the configuration is to enable recipient filtering for the SMPT connection:
All incoming emails are now checked as soon as they are received.
A downside of this is that there is additional processing performed when emails are received. Normally this won't be noticeable, but might cause a problem for a very busy server.
These notes have been tested with Exchange Server 2003.
About the author: Brian Cryer is a dedicated software developer and webmaster. For his day job he develops websites and desktop applications as well as providing IT services. He moonlights as a technical author and consultant.