RE: RES: RE: RES: NDR attack

  • From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 9 Aug 2004 09:17:40 -0700

That is what I meant. Exchange should never had accepted those NDR?s in the
first place. This is called Exchange first accepting all then sending NDR
for non-existent. I believe there is a way to configure Exchange to only
accept for actual users. Also, a ?gateway? in front of Exchange can be
configured with known users to no accept from non-existent users.

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] 
Sent: Monday, August 09, 2004 8:31 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RES: RE: RES: NDR attack

 

http://www.ISAserver.org

No, No.. he did have protection. But the NDR?s came in such a massive
quantity that his DSL couldn?t manage so many NDR?s coming, even though his
server was blocking them all and throwing them at the badmail folder. His
disk space reached zero in an hour or so.

 

Impressive!

 

Tiago de Aviz

SoftSell

(41) 340-2363

 <http://www.softsell.com.br/> www.softsell.com.br

 

Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu
conteúdo é restrito ao destinatário da mensagem. Caso você tenha recebido
esta mensagem por engano, queira por favor retorná-la ao destinatário e
apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou
disseminação desta mensagem ou parte dela é expressamente proibido. A
SoftSell não é responsável pelo conteúdo ou a veracidade desta informação.

  _____  

De: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Enviada em: sábado, 7 de agosto de 2004 17:15
Para: [ISAserver.org Discussion List]
Assunto: [isalist] RE: RES: NDR attack

 

http://www.ISAserver.org

Abandon his Domain name? What, he did not expect stuff like this? Did not do
his homework on operating an e-mail server on the Internet/

 

What, he thinks his new domain name will be exempt from these attacks?

 

Sounds like he needs some configuration changes and gateway software to
protect against that.

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] 
Sent: Saturday, August 07, 2004 11:51 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RES: NDR attack

 

http://www.ISAserver.org

I had a customer that had a SBS server with a fixed IP DSL modem. One day,
some dude started to make Directory Harvest Attacks against some small
companies (Nissan, Renault?), and set his e-mail as the reply-to address. 

 

Needlessly to say, he had to abandon his DNS name. The NDR?s came in such
monstrous quantities that they made itself a DoS attack ;)

 

Tiago de Aviz

SoftSell

(41) 340-2363

www.softsell.com.br <http://www.softsell.com.br/> 

 

Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu
conteúdo é restrito ao destinatário da mensagem. Caso você tenha recebido
esta mensagem por engano, queira por favor retorná-la ao destinatário e
apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou
disseminação desta mensagem ou parte dela é expressamente proibido. A
SoftSell não é responsável pelo conteúdo ou a veracidade desta informação.

  _____  

De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Enviada em: sexta-feira, 6 de agosto de 2004 15:39
Para: [ISAserver.org Discussion List]
Assunto: [isalist] NDR attack

 

http://www.ISAserver.org

Hey guys,

I was looking at my firewall logs yesterday and noticed a big increase in my
Firewall service logs. Started running it down and the logs shows a ton of
DNS and SMTP traffic coming from my outbound relay. We'll wouldn't you know
it, it wasnt' even the ISA firewall's fault :-)

You might want to this out and disable sending NDRs. Fixed the problem for
me.

MAPILab.Com - Articles: http://www.mapilab.com/articles/ndr_spam_attack.htm

HTH,

Toml 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tiago@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tiago@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts: