Re: How I spent my Christmas vacation - Email found in subject

Hi Danny,

Time for some Windows Network education for you. CIL...

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Danny [mailto:nocmonkey@xxxxxxxxx] 
> Sent: Tuesday, January 03, 2006 10:01 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: How I spent my Christmas vacation - 
> Email found in subject
> 
> http://www.ISAserver.org
> 
> On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> > Hi Danny,
> >
> > I think you're mixing me and Dan up. I don't send NDRs.
> 
> Let me quote your story:
> 
> "The result was very interesting. It showed that two of my inbound
> SMTP spam whacking relays (inbound mail goes through four spam
> whacking/AV relays before hitting my Exchange Server -- I don't like
> putting Antispam/AV software on my Exchange Server because of the
> performance hit) were making thousands of requests for MX records. Now
> I asked myself the question "why would these relays make thousands of
> MX record requests"?
> 
> The answer to that question was because the SMTP relays were trying to
> resolve the MX domain names of spammers, most of which are bogus.
> Since the Christmas season saw a big spike in spam coming into my
> network, there was a large spike in the number of MX requests for the
> NDRs"
> 
> To me, this means that:
> 
> 1) You have Exchange and IIS SMTP
If have two incoming SMTP relays that accept e-mail to my domains. They
both forward to the first spam whacking/AV relay, which then sends to
the second spam whacking/AV relay, which then sends to a third spam
whacking/AV relay, which then forwards to the Exchange Server.


> 2) You accept email sent to non-existent recipients
Yes. Don't want to compromise my network's security posture just to
reject mail from non-legit users.



> 3) Your IIS SMTP servers were trying to send NDRs to spammers forged
> sender addresses
Yes, they were trying to, but since the ISA firewall didn't allow them
outbound access to SMTP, no mail was actually sent out, but they did
send DNS query request for MX domain name resolution to my DNS
resolvers.



> 4) Or if you do not have NDRs enabled, then A) You do not care to
> inform legitimate senders whether or not they sent an email to the
> correct address or B) You do care, and therefore a human spends time
> reading your SMTP logs looking for legitimate emails accidentally sent
> to the wrong address.
You can't turn off NDRs using IIS SMTP. No, I don't care if they know.
They'll send it again if they need to contact me. Not all organizations
have the same attitude, but its worked for me for almost ten years.


> 
> My mistake if I misunderstood this.
My mistake for not giving all the details, but I actually wrote the
article to communicate how to troubleshoot a problem with network
infrastructure that would have been otherwise attributed to the ISA
firewall.



> 
> > Not from any of the relays in my spam relay chain, or from 
> the Exchange Server.
> 
> So, your SMTP servers accept everything and does not inform the sender
> of any recipient errors during the SMTP conversation.
The two SMTP servers receiving direct inbound connections do not send
NDRs, but they do communicate with the sending SMTP server that they
will not relay to domains that aren't one of them I'm hosting.  NDRs
have nothing to do with what takes place within the SMTP session itself.
However, if the destination domain is correct, the sending SMTP server
will not reject the message.



> 
> >I see the wisdom in Dan's arguments and why he needs to 
> enable NDRs. I don't
> > have the same requirements in my deployments, so I don't send them.
> 
> Right.
> 
> > So, my scenario, the problem was with the IIS platform and its SMTP
> > service and the inablity to turn off NDRs.
> 
> OK, so you DO NOT send NDRs, yet with your IIS platform you *cannot*
> turn off NDRs.  Lets get this straight, you have turned off NDRs on a
> platform that you *cannot* turn off NDRs.  Cool.
I do not send NDRs because the SMTP servers don't know where to send
them to, so they end up in the bad mail, which gets cleaned out with a
scheduled job. I didn't say I turned them off, I said I don't send them.

HTH,
Tom



> 
> ...D
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 


Other related posts: