Recent Posts

Tags

News

  • Search

    <input class="BlogSearch" type="text" name="searchBox" id="blogSearchText" value="" onkeypress="return blogSearch(event, this);"> <input type="button" value="Search" onclick="return blogSearch2('blogSearchText');" class="BlogSearchButton"> <script type="text/javascript"> function blogSearch(event, oInput) { var keyCode = (event) ? event.keyCode : keyStroke.which; if (keyCode == 13) { top.location = 'http://www.google.com/search?q=' + escape(oInput.value) + '+inurl%3Ajavier+site%3Amsmvps.com'; return false; } return true; } function blogSearch2(oInputId) { var oInput = document.getElementById(oInputId); top.location = 'http://www.google.com/search?q=' + escape(oInput.value) + '+inurl%3Ajavier+site%3Amsmvps.com'; return false; } </script>

Community

Email Notifications

SBS Blogs

Helpful Sites

Archives

Javier's SBS Wonderland

Take the red pill and see how far down the rabbit hole goes...

Stop Spam... but not NDRs

I realize that any mail server these days receives tons of spam and that SBSers use employ several methods to cope up with that, but I think that disabling NDRs is not a wise choice. For those who don't know: NDR stands for Non Delivery Report and its simply that email that you get when the mail cannot reach its destination (or when it is delayed). Some people disable them because sometimes an SBS box can be sending 100's of spam-related NDRs which takes server resources and bandwidth. Why not disable NDRs then? Let me explain...

There are 2 types of NDRs that concerns us:

  1. An external entity sends an email (either accidentally or on purpose) to a non-existent address in your email domain.
  2. Someone inside your LAN sends an email and Exchange cannot deliver it for some reason.

Evidently, one would like only to disable “type-1” NDRs (more specifically only for those who do it on purpose, i.e. spammers). However, if you disable NDRs in Exchange this will affect
all of them. This means that if you your boss or an external client sends an important email and mistypes the recipient's address they will never get any notification for that. That's not good (at least in my book).

So, what can you do? Use the Recipient Filtering instead (go to Exchange System Manager -> Global Settings -> Message Delivery-> Properties-> Recipient Filtering tab-> Enable "Filter recipients who are not in the Directory"). This way you server will only accept mail destined to valid addresses on your domain, you keep NDRs working and the boss is happy. Also, now it is the responsibility of the sender's mail server to issue NDRs (so people outside your organization will know when they made a mistake).

The disadvantage of doing this is that someone could probe Exchange (some kind of dictionary attack) and get a list of valid email addresses. However, you can minimize this risk thanks to a recent software update for Exchange which adds a delay to anonymous connections. Check out Sean Daniel's blog for the complete info.

Keep tuned! Since SPAM is such a hot topic... I'm planning to blog soon about other things you can do to help reduce it (and a new way to prevent people from forging your domain name to send spam). If you have a suggestion or want me to cover something in particular let me know.

Posted: Oct 27 2004, 05:14 PM by Javier | with 8 comment(s)
Filed under:

Comments

Javier said:

hi !
I am using sbs 2000 and when I go to Exchange System Manager -> Global Settings -> Message Delivery-> Properties-> I dont have Recipient Filtering tab only filtering tab and in there I don't have -> Enable "Filter recipients who are not in the Directory.

I have filter messages that claim to be from the following senders


ADD



And I have 3 boxes I can tick

Archive filtered messages
Filter messages with blank sender
Accept messages without notifying of filtering


Thanks

John
# November 11, 2004 10:07 PM

Javier said:

I was asked in the 2k newsgroup how to enable this on SBS2k. However, as far as I know Exchange 2000 does not have this capability per se. The only way I think you could do it is to enable recipient filtering and adding each user manually to the list. Alternatively, you could use GFI Mail Essentials (or other similar package) to do this.

I will try to see if I can get a procedure for SBS2000, but it might take me a while since I don't have anymore a SBS2k to play with at home.
# November 11, 2004 10:22 PM

Javier said:

For exchange 2000

check out

www.vamsoft.com
www.mapilab.com

They both have products which provide recipient filtering for Exchange 2000

# February 16, 2005 6:25 PM

TrackBack said:

^_^,Pretty Good!
# April 15, 2005 5:17 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 18, 2005 9:55 PM

Javier said:

UPDATE-> SBS2003 SP1 has the update to prevent enumeration of your Email accounts if you enable this feature. Another reason to install SP1 :-)
# June 15, 2005 8:00 PM

TrackBack said:

Stop Spam... but not NDRsooeess
# July 22, 2005 12:37 AM

TrackBack said:

Stop Spam... but not NDRsooeess
# August 2, 2005 7:58 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)