RE: getting spammed by underliverables
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
RE: getting spammed by underliverables - 24.Mar.2008 5:22:26 PM
|
|
|
dima
Posts: 40
Joined: 10.Feb.2006
Status: offline
|
We have the same problem. I've enabled the registry key for GFI to process incoming NDR emails, and that works. However (and this is a different issue), when I move any such emails into the public folders, they do not get scanned, but simply remain there, never being moved to "Processed".
Thanks,
--
dima
|
|
|
|
|
RE: getting spammed by underliverables - 25.Mar.2008 8:01:36 AM
|
|
|
pmcneill
Posts: 135
Joined: 18.May2005
Status: offline
|
Just got back from a long Easter weekend and am paying for it today. We have one user (so far) that got over 300 of these on the weekend. Definitely backscatter.
Can someone from GFI please comment on the "fix" for this they posted in another thread, as to any possible side effects? Will this basically mean that all NDRs (including ones that are not as a result of spamming) will be filtered?
"To configure GFI MailEssentials to scan NDR mails you need to do the following:
1. Open regedit (Start -> Run -> regedit)
2. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\GFI\ME<version>\Config
3. Change the value of 'ase_scandsn' from 0 to 1
4. Re-start the IIS Admin service."
|
|
|
|
|
RE: getting spammed by underliverables - 25.Mar.2008 8:48:13 AM
|
|
|
sreece
Posts: 53
Joined: 10.May2006
Status: offline
|
Hi Everyone:
Out of curiosity, did the user that got these have their out-of-office response turned on? I had mine turned on yesterday, and I received about 50 of these. I think it may be that the auto-reponse was sending back to spam addresses that obviously aren't real and we just receive the bounce-back.
Thoughts?
|
|
|
|
|
RE: getting spammed by underliverables - 25.Mar.2008 8:58:29 AM
|
|
|
pmcneill
Posts: 135
Joined: 18.May2005
Status: offline
|
No, not in my user's case. That was the first question I asked before looking at the headers on all the crap they got back. The NDRs were generated by a remote mail system, not our own (which would be the case in the scenario you're describing). This was definitely the result of a spammer using my user's email address to send out SPAM, and idiotic mail configurations on remote servers that send NDRs out for emails sent to illegitimate addresses at their domains.
Someone needs to start a blacklist similar to a DNSBL that lists domains that configure their mail servers to respond to SPAM, so that we can all stop accepting mail from them and have them fix their config. This type of config should not be accepted any more than having an open relay on your server is.
|
|
|
|
|
RE: getting spammed by underliverables - 25.Mar.2008 10:41:13 AM
|
|
|
dadams
Posts: 9
Joined: 31.Oct.2006
Status: offline
|
How do i check my Exchange Server for this setting and correct it if necessary?
Thanks,
|
|
|
|
|
RE: getting spammed by underliverables - 26.Mar.2008 5:48:07 AM
|
|
|
JanZoet
Posts: 576
Joined: 20.Feb.2008
Status: offline
|
Hello,
When you have enabled the registry key to check NDRs as well you can configure Keywords in order to block these Non Delivery messages.
If users still receive these messages and you are sure you are using the correct Keywords I would advise you to check your Whitelists to make sure these users are not whitelisted.
If you try to add NDRs to 'This is spam email' these messages will not be processed: http://kbase.gfi.com/showarticle.asp?id=KBID003132.
Dadams,
May I ask you to explain your question?
Kind regards,
_____________________________
Jan Zoet
Technical Support - GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: getting spammed by underliverables - 26.Mar.2008 6:28:45 AM
|
|
|
jmjacquet
Posts: 9
Joined: 10.Mar.2008
Status: offline
|
Hello Jan,
I have the same problem (Hundred of NDR arriving from mail systems which have been spammed).
We have changed the registry settings 'ase_scandsn' from 0 to 1 and have rebooted the server.
But the NDR are still passing through despite they are containing many Keywords of our list.
Our Configuration : ME12 20071203
Any help would be welcome !
|
|
|
|
|
RE: getting spammed by underliverables - 26.Mar.2008 8:54:19 AM
|
|
|
JanZoet
Posts: 576
Joined: 20.Feb.2008
Status: offline
|
Hello,
We have identified an issue caused by the DNS Blacklist relays.ordb.org.
A while ago we have uploaded a Knowledge Base article that this list could no longer be used: http://kbase.gfi.com/showarticle.asp?id=KBID002925.
At the moment people using this list for the DNS Blacklist module of MailEssentials or under Connection Filtering of Exchange might experience a lot of NDR messages.
I would like to advise you not to use this list in either MailEssentials or Exchange.
Kind regards,
_____________________________
Jan Zoet
Technical Support - GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: getting spammed by underliverables - 26.Mar.2008 9:36:56 AM
|
|
|
pmcneill
Posts: 135
Joined: 18.May2005
Status: offline
|
Hi,
We have not been using that blacklist, and had a single (reported) user receive 300+ of these NDRs over the weekend. The issue has not recurred to my knowledge however, so hopefully that will be it (as far as huge volumes of backscatter all at once goes).
Are there any plans to introduce some type of backscatter protection in ME? It's an ongoing issue. I can understand that it's difficult as by the time the mail reaches your server it essentially is coming from a legitimate source (spammer's version of money-laundering), but it seems like there should still be a way to check for content in inbound NDRs. Dunno, just know that it's an ever present issue, worse at some times than others.
|
|
|
|
|
RE: getting spammed by underliverables - 26.Mar.2008 10:06:21 AM
|
|
|
pcecom
Posts: 16
Joined: 14.Apr.2005
Status: offline
|
I checked my settings and I do not use relay.ordb.org in my DNS Blacklist. I am only using sbl-xbl.spamhaus.org. I also use multi.surbl.org for SPAM URI blacklist.
I am down to maybe 10-15 a day for NDR spam but have started to see Delivery Status Notification spam since yesterday.
|
|
|
|
|
RE: getting spammed by underliverables - 26.Mar.2008 10:46:12 AM
|
|
|
Nicks
Posts: 2600
Joined: 17.Mar.2003
Status: offline
|
Hi,
Please check this knowledgebase article for more information on the registry key mentioned above:
http://kbase.gfi.com/showarticle.asp?id=KBID003322
Please let us know the results after enabling the scanning for DSNs.
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: getting spammed by underliverables - 26.Mar.2008 10:49:20 AM
|
|
|
Phanatik
Posts: 8
Joined: 28.Feb.2007
Status: offline
|
I am having the same issue here the past couple of days. I also do not use relay.ordb.org.
Usually all our spam is really low but it seems overall it has increase the past week or so and just the past couple days a few users have been getting a lot of NDR spam coming through.
|
|
|
|
|
RE: getting spammed by underliverables - 26.Mar.2008 11:32:18 AM
|
|
|
dima
Posts: 40
Joined: 10.Feb.2006
Status: offline
|
@JanZoet: Thank you for the KB article regarding scanning of NDR's in public folders. The article, however, does not explain anything; it basically just states what we already figured. Is there a specific reason for the design of this behavior in MailEssentials? Are there any reasons not to change the behavior so that NDR's are scanned in future versions? Not all NDR's are the same, and some of them (the ones that appear as regular email messages) actually do get scanned in the current version.
Thank you,
--
dima
|
|
|
|
|
RE: getting spammed by underliverables - 26.Mar.2008 7:35:44 PM
|
|
|
Annancy
Posts: 16
Joined: 10.May2004
Status: offline
|
@Nicks,
I changed this setting two days ago and we are still beeing hit with NDR Spam.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
