RE: Flood of "System Administrator" Undeliverable SPAM, please help
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
RE: Flood of "System Administrator" Undeliver... - 5.May2008 10:41:20 AM
|
|
|
srmobile
Posts: 105
Joined: 25.Apr.2004
Status: offline
|
NM
< Message edited by srmobile -- 5.May2008 10:42:51 AM >
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 5.May2008 10:42:19 AM
|
|
|
phess
Posts: 6
Joined: 27.Oct.2004
From: PA
Status: offline
|
I have had this patch installed for over a week and it has not helped much. Yes some NDRs are getting blocked which is a help, but the ones that come from system administrator undeliverable: do not get blocked, they look exactly the same as my NDRs from exchange would look. I have done everything... keyworks, registry change, patch, turned off NDRs in exchange, recipient filtering in exchange, tar pit in exchange, everything and Im still getting nailed with these NDRs. I have not heard from support in days. Its gotten so bad my exchange server info store server actually crashed twice.
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 5.May2008 1:31:05 PM
|
|
|
nintenDRU
Posts: 12
Joined: 23.Jan.2007
From: Long Beach, CA
Status: offline
|
quote:
ORIGINAL: phess
I have had this patch installed for over a week and it has not helped much. Yes some NDRs are getting blocked which is a help, but the ones that come from system administrator undeliverable: do not get blocked, they look exactly the same as my NDRs from exchange would look. I have done everything... keyworks, registry change, patch, turned off NDRs in exchange, recipient filtering in exchange, tar pit in exchange, everything and Im still getting nailed with these NDRs. I have not heard from support in days. Its gotten so bad my exchange server info store server actually crashed twice.
Same thing for me, in fact I spent all night Thursday night with a call to Microsoft @ $500 to try to get my Information Store up and running. The temp fix was to delete the Eachange BadMail folder but that only worked until sat am sometime ;-(. So I was in early today to reopen the case and still no fix. We have manged to restart the information store but who knows for how long? I am not saying that it is GFI's fault, maybe all the NDR spam is causing it? I will say that Nick @ GFI support ahs been responsive to me, which is nice. I sure hope that the next build will stop and keep my information store up and running or I may be forced to use a different product for SPAM?
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 5.May2008 1:35:34 PM
|
|
|
phess
Posts: 6
Joined: 27.Oct.2004
From: PA
Status: offline
|
I had to clear out my message queues and restart the service. I just spent about an hour on the phone with GFI and I think we got things going better. I was using GFI rule management.exe to create a spam folder under each users inbox. All my actions were set to tag as spam with [SPAM]. We change the actions for all items to just move to inbox/SPAM and somehow this seems to have helped. I was getting a system administrator email about every 2 mins, since then none. Im still getting ones from mailer-daemon, postmaster, mail delivery system, etc but they are all going to in to the SPAM folder which they were going to previously but with [SPAM] tag.
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 5.May2008 1:41:08 PM
|
|
|
pmcneill
Posts: 135
Joined: 18.May2005
Status: offline
|
I'm considering implementing this this week, but talk of crashing information stores always makes me very nervous. Obviously GFI is still recommending this patch, but can someone from the company comment on the relative success their customers are having with it? Forum posts are rarely a good indication of the majority as people rarely post when everything is working well.
How well is the patch being received GFI? Is it working for most people? When can we expect a more permanent solution as part of a new build? Some feedback would be nice.
Thanks!
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 6.May2008 2:43:49 AM
|
|
|
trcc3
Posts: 19
Joined: 11.Apr.2008
Status: offline
|
Hello,
no information-strore problems here, almost every ndr-spam is catched by ME.
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 6.May2008 3:37:40 AM
|
|
|
Nicks
Posts: 2600
Joined: 17.Mar.2003
Status: offline
|
Hi all,
The patch that has been released till now should block most of the NDR spam. It will cause MailEssentials to check the email attached to the NDR message using various anti-spam filters.
There are 2 situations that the patch does not cover (or does not seem to cover), which are:
- Some mail servers choose not to include the original email in the NDR. The patch will not be able to scan such NDRs.
- If the action of the anti-spam module is set to tag the message, in certain situations the email is tagged by MailEssentials, but the tag is not shown by Microsoft Outlook. Microsoft Outlook will change the subject of the NDR email to say "Undeliverable: <subject of original email>", thus ignoring the real subject of the NDR. In such cases, the NDR would be detected by MailEssentials, but the user will not notice this, since Outlook changes the subject.
We are currently working on another update for NDR spam. This will compare the recipient of the attached email to the autowhitelist. If no email is attached to the NDR, MailEssentials will compare the domain of the sender of the NDR with the domains in the autowhitelist. The update will also address the issue mentioned in point 2 above.
One last note - currently the Anti-Spam Public Folders has not been updated to scan NDR messages. NDR messages will remain in the public folder unscanned. After the new update has been released, we are confident that most (if not all) NDR spam will be blocked, thus no update to anti-spam Public Folders is required.
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 6.May2008 8:48:51 AM
|
|
|
pmcneill
Posts: 135
Joined: 18.May2005
Status: offline
|
Hi Nick,
I just want to understand the first point correctly. If the original email is not included in the NDR, the patch does nothing?
This is typical of what we're seeing:
Edit: Sorry, image doesn't seem to be showing up. Anyway, no attached emails in what we're seeing.
If it doesn't block this, it won't do much for us.
Is there any estimate on the time when the revision that checks the whitelist will be available. How long that is going to take will decide whether or nto we're going to ask our users to live with this for now, or put in place one of the other "lesser of two evils" solutions.
Would appreciate the best answer you can give.
Thanks
< Message edited by pmcneill -- 6.May2008 8:54:30 AM >
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 6.May2008 10:19:01 AM
|
|
|
Nicks
Posts: 2600
Joined: 17.Mar.2003
Status: offline
|
Hi,
For all NDR messages, Outlook hides the attachment for NDR emails. You will notice that there is an attachment if you get the "Send Again" button when you open the NDR message.
The attachment would show if you use Outlook Express to view the NDR.
However, there are some NDR messages which do not include the original email as attachments. The patch does not block these NDR messages, since the patch works on the contents of the original email.
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 6.May2008 11:48:42 AM
|
|
|
pmcneill
Posts: 135
Joined: 18.May2005
Status: offline
|
Ok, thanks Nick, I was looking at it incorrectly.
Do you have an update on when a more permanent solution might be available? I know nobody wants to commit to a timeline they might not be able to meet, but I'm just wondering if we're talking weeks or months here. We might decide to wait for it if we thought it was coming soon.
Thanks,
Phil
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 6.May2008 7:53:41 PM
|
|
|
kharris
Posts: 16
Joined: 10.Aug.2007
Status: offline
|
FYI pmcneill,
I installed the patch when it was first released and the backscatter issue has been largely resolved (95% or better in my estimation). Because the keyword module scans the NDRs I have seen less than 10 emails sent to my keyword quarantine mailbox (I forward them instead of flagging or deleting).
We are in the US, have the latest build of ME 12 installed in gateway mode and have not experienced any problems from the patch. Hope that helps, good luck!
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 7.May2008 4:21:35 AM
|
|
|
andih98uk
Posts: 16
Joined: 31.Mar.2008
Status: offline
|
I've seen a big improvement after the patch, with no ill effects and a massively reduced number of NDR's. Well done GFI.
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 7.May2008 8:39:54 AM
|
|
|
Phanatik
Posts: 8
Joined: 28.Feb.2007
Status: offline
|
Here we go again, I am getting bombarded with these Undeliverables again. Coming in every minute or so.
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 7.May2008 8:42:14 AM
|
|
|
pmcneill
Posts: 135
Joined: 18.May2005
Status: offline
|
Thanks gang, that's very encouraging. Any change in the mail system here goes through a real PIA change management process, and I hate to suffer through it for little benefit, or worse for something that causes more problems than it solves. I think the pros seem to outweigh the cons with this. I'm gonna look at implementing this weekend.
Thanks for the user forums GFI. One of the big reasons I stick with the product!
I'd still very much appreciate a time estimate from GFI on the more permanent solution beign worked on.
< Message edited by pmcneill -- 7.May2008 8:48:15 AM >
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 8.May2008 11:37:08 AM
|
|
|
tmckeown
Posts: 61
Joined: 28.Mar.2004
From: Chicago, IL
Status: offline
|
We've had two issues which Nick has been helping us try and track down. We still get a lot of NDR spam. Much of it does have the original file attachment. The other more pressing problem is that since we installed the patch, mail flow has slowed dramatically. We constantly get the popup message from Outlook stating it is trying to access the server. I haven't found a solution to that yet. If I can't figure out something soon, I'll be removing ME and cleaning out the registry in an attempt to get the speed back up. Then I can do a fresh install of ME. Noit sure if anyone else has seen this. It's pretty odd. If I look at task manager, it usually shows that the CPU is 99% idle. Occasionally I'll get a warning in the application event log stating that a mail item took an abnormal amount of time to be processed. It then states that the probable cause is bad hardware. I've checked our RAID arrays and they all show "Optimal", so I don't believe that is it.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
