Friday 1 February 2008

SMTP Server Remote Queue Length Alert on SBS

We just received one of these emails from an SBS box with the following error:

Alert on SBS at 2/1/2008 6:24:43 PM

A large number of messages are pending in the e-mail server send queue.
Verify that you have Internet connectivity. If you can view Web sites normally, contact your Internet service provider (ISP) to determine if there is a problem with their e-mail server.

You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.
Sitting in the Exchange queue were a rather large number of postmaster@mydomain.com emails waiting to be sent. In some cases, there were multiples upon multiples of the same emails.

A search brought up the following Knowledgebase article: KB 886208: Exchange queues fill with many non-delivery reports from the postmaster account in Small Business Server 2003.

Within the article we find:
CAUSE
This issue occurs if your computer is the target of a reverse non-delivery report (NDR) attack.
Oh really?

Further down the article we have:

MORE INFORMATION
People who send UCE to e-mail recipients have discovered a method to work around the e-mail filters that are built into many e-mail messaging systems. In this scenario, the people who send UCE try to take advantage of the delivery status notification functionality in the e-mail server. In a typical e-mail messaging system, an NDR delivery status notification message is generated when an e-mail message cannot be delivered. Additionally, this NDR message typically contains the content of the undeliverable message. This behavior follows the RFC standards. Therefore, most messaging systems behave this way.

The person who sends UCE uses this NDR message to deliver UCE. This kind of UCE delivery is known as a reverse NDR attack. This kind of UCE delivery works in the following way:

  1. Unsolicited commercial e-mail is created with the destination recipient's e-mail address in the Sender field of that e-mail message.
  2. A fictitious user name together with your domain name is added as the recipient of this e-mail message.
  3. This unsolicited commercial e-mail message is sent to your domain.
  4. Your e-mail server accepts this message because it is sent to your domain.
  5. Your e-mail server cannot deliver this message because the recipient does not exist.
  6. Your e-mail server sends an NDR to the person who appears as the sender of this message. In this scenario, the person who appears as the message sender is the external recipient that receives the NDR from the postmaster account. The person who sends the UCE puts the intended recipient of the UCE in the Sender field of the message. Therefore, the intended recipient receives the NDR from the postmaster account in your e-mail domain.
  7. The NDR is sent to the external e-mail address from the postmaster address of your domain. This NDR may contain the original UCE message.
  8. The unsuspecting user might read this NDR together with the UCE message. Therefore, the UCE message has been delivered successfully to the external recipient who is listed in the Sender field of the original e-mail message.
It never seizes to amaze how the spammer's creativity never ceases.

We need to configure recipient filtering:
  1. To configure recipient filtering, follow these steps:1. Start the Exchange System Manager tool.
  2. Expand Global Settings, right-click Message Delivery, and then click Properties.
  3. Click the Recipient Filtering tab, click to select the Filter recipients who are not in the Directory check box, and then click OK.
  4. When you receive the following message, click OK:
    Connection, Recipient, and Sender Filtering must manually be enabled on specific SMTP virtual server IP address assignments as they are not enabled by default. For more information on how to enable any of the above filtering types, read their associated help.
  5. Expand Servers, expand your computer, expand Protocols, expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.
  6. On the General tab, click Advanced.
  7. Click Edit, click to select the Apply Recipient Filter check box, and then click OK three times.

    • Note that the SBS Internal IP Is Normally Shown - Changed for display purposes to (All Unassigned)
Now, once we have done this, there is a caveat:
After you enable recipient filtering, a certain technique may be used against your Exchange server to gather information about the valid e-mail addresses in your organization. This technique is known as a Directory Harvest Attack.
We are directed to a further MS KB article: KB 842851: SMTP tar pit feature for Microsoft Windows Server 2003.

We are directed to make the following registry setting:

TarpitTime

Strangely, this setting was already in place on this particular SBS box.

Further directed reading and tools: This looks like something to keep an eye on and possibly yet another configuration step for us to add to our SBS setup list.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

2 comments:

D Dabour said...

Philip,

I vote to include it in your excellent SBS Setup documentation :)

Dave
MSBS

Philip Elder Cluster MVP said...

Dave,

Done! :)

Thanks for the comment,

Philip