Alert on SBS at 2/1/2008 6:24:43 PMSitting in the Exchange queue were a rather large number of firstname.lastname@example.org emails waiting to be sent. In some cases, there were multiples upon multiples of the same emails.
A large number of messages are pending in the e-mail server send queue.
Verify that you have Internet connectivity. If you can view Web sites normally, contact your Internet service provider (ISP) to determine if there is a problem with their e-mail server.
You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.
A search brought up the following Knowledgebase article: KB 886208: Exchange queues fill with many non-delivery reports from the postmaster account in Small Business Server 2003.
Within the article we find:
This issue occurs if your computer is the target of a reverse non-delivery report (NDR) attack.
Further down the article we have:
MORE INFORMATIONIt never seizes to amaze how the spammer's creativity never ceases.
People who send UCE to e-mail recipients have discovered a method to work around the e-mail filters that are built into many e-mail messaging systems. In this scenario, the people who send UCE try to take advantage of the delivery status notification functionality in the e-mail server. In a typical e-mail messaging system, an NDR delivery status notification message is generated when an e-mail message cannot be delivered. Additionally, this NDR message typically contains the content of the undeliverable message. This behavior follows the RFC standards. Therefore, most messaging systems behave this way.
The person who sends UCE uses this NDR message to deliver UCE. This kind of UCE delivery is known as a reverse NDR attack. This kind of UCE delivery works in the following way:
- Unsolicited commercial e-mail is created with the destination recipient's e-mail address in the Sender field of that e-mail message.
- A fictitious user name together with your domain name is added as the recipient of this e-mail message.
- This unsolicited commercial e-mail message is sent to your domain.
- Your e-mail server accepts this message because it is sent to your domain.
- Your e-mail server cannot deliver this message because the recipient does not exist.
- Your e-mail server sends an NDR to the person who appears as the sender of this message. In this scenario, the person who appears as the message sender is the external recipient that receives the NDR from the postmaster account. The person who sends the UCE puts the intended recipient of the UCE in the Sender field of the message. Therefore, the intended recipient receives the NDR from the postmaster account in your e-mail domain.
- The NDR is sent to the external e-mail address from the postmaster address of your domain. This NDR may contain the original UCE message.
- The unsuspecting user might read this NDR together with the UCE message. Therefore, the UCE message has been delivered successfully to the external recipient who is listed in the Sender field of the original e-mail message.
We need to configure recipient filtering:
- To configure recipient filtering, follow these steps:1. Start the Exchange System Manager tool.
- Expand Global Settings, right-click Message Delivery, and then click Properties.
- Click the Recipient Filtering tab, click to select the Filter recipients who are not in the Directory check box, and then click OK.
Connection, Recipient, and Sender Filtering must manually be enabled on specific SMTP virtual server IP address assignments as they are not enabled by default. For more information on how to enable any of the above filtering types, read their associated help.
After you enable recipient filtering, a certain technique may be used against your Exchange server to gather information about the valid e-mail addresses in your organization. This technique is known as a Directory Harvest Attack.We are directed to a further MS KB article: KB 842851: SMTP tar pit feature for Microsoft Windows Server 2003.
We are directed to make the following registry setting:
Strangely, this setting was already in place on this particular SBS box.
Further directed reading and tools:
- MS KB 324958: How to block open SMTP relaying and clean up Exchange Server SMTP queues in Windows Small Business Server
- MS KB 823866: How to configure connection filtering to use Realtime Block Lists (RBLs) and how to configure recipient filtering in Exchange 2003
- Enter your domain.com name and MX Lookup
- Click the Diagnostics button for the server to test for open relay.
- From the Down under with Microsoft Technology and Consulting Services blog: How does a "Reverse NDR" attack work?
Microsoft Small Business Specialists
*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.