Hi Danny, Time for some Windows Network education for you. CIL... Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Danny [mailto:nocmonkey@xxxxxxxxx] > Sent: Tuesday, January 03, 2006 10:01 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: How I spent my Christmas vacation - > Email found in subject > > http://www.ISAserver.org > > On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > > Hi Danny, > > > > I think you're mixing me and Dan up. I don't send NDRs. > > Let me quote your story: > > "The result was very interesting. It showed that two of my inbound > SMTP spam whacking relays (inbound mail goes through four spam > whacking/AV relays before hitting my Exchange Server -- I don't like > putting Antispam/AV software on my Exchange Server because of the > performance hit) were making thousands of requests for MX records. Now > I asked myself the question "why would these relays make thousands of > MX record requests"? > > The answer to that question was because the SMTP relays were trying to > resolve the MX domain names of spammers, most of which are bogus. > Since the Christmas season saw a big spike in spam coming into my > network, there was a large spike in the number of MX requests for the > NDRs" > > To me, this means that: > > 1) You have Exchange and IIS SMTP If have two incoming SMTP relays that accept e-mail to my domains. They both forward to the first spam whacking/AV relay, which then sends to the second spam whacking/AV relay, which then sends to a third spam whacking/AV relay, which then forwards to the Exchange Server. > 2) You accept email sent to non-existent recipients Yes. Don't want to compromise my network's security posture just to reject mail from non-legit users. > 3) Your IIS SMTP servers were trying to send NDRs to spammers forged > sender addresses Yes, they were trying to, but since the ISA firewall didn't allow them outbound access to SMTP, no mail was actually sent out, but they did send DNS query request for MX domain name resolution to my DNS resolvers. > 4) Or if you do not have NDRs enabled, then A) You do not care to > inform legitimate senders whether or not they sent an email to the > correct address or B) You do care, and therefore a human spends time > reading your SMTP logs looking for legitimate emails accidentally sent > to the wrong address. You can't turn off NDRs using IIS SMTP. No, I don't care if they know. They'll send it again if they need to contact me. Not all organizations have the same attitude, but its worked for me for almost ten years. > > My mistake if I misunderstood this. My mistake for not giving all the details, but I actually wrote the article to communicate how to troubleshoot a problem with network infrastructure that would have been otherwise attributed to the ISA firewall. > > > Not from any of the relays in my spam relay chain, or from > the Exchange Server. > > So, your SMTP servers accept everything and does not inform the sender > of any recipient errors during the SMTP conversation. The two SMTP servers receiving direct inbound connections do not send NDRs, but they do communicate with the sending SMTP server that they will not relay to domains that aren't one of them I'm hosting. NDRs have nothing to do with what takes place within the SMTP session itself. However, if the destination domain is correct, the sending SMTP server will not reject the message. > > >I see the wisdom in Dan's arguments and why he needs to > enable NDRs. I don't > > have the same requirements in my deployments, so I don't send them. > > Right. > > > So, my scenario, the problem was with the IIS platform and its SMTP > > service and the inablity to turn off NDRs. > > OK, so you DO NOT send NDRs, yet with your IIS platform you *cannot* > turn off NDRs. Lets get this straight, you have turned off NDRs on a > platform that you *cannot* turn off NDRs. Cool. I do not send NDRs because the SMTP servers don't know where to send them to, so they end up in the bad mail, which gets cleaned out with a scheduled job. I didn't say I turned them off, I said I don't send them. HTH, Tom > > ...D > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >