RE: Flood of "System Administrator" Undeliverable SPAM, please help
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
RE: Flood of "System Administrator" Undeliver... - 9.May2008 12:40:36 PM
|
|
|
MobiusYuger
Posts: 17
Joined: 5.May2005
From: Columbus, OH
Status: offline
|
For those of you who have had good luck with the NDR patch, could you share your spam module order configuration?
Thanks,
Mobius
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 12.May2008 10:38:48 AM
|
|
|
Tonyscsu
Posts: 1
Joined: 12.May2008
Status: offline
|
I just downloaded the patch and it's not helping at all. Just on one account, I have received nearly 400 NDRs this morning. Need some sort of solution or workaround ASAP.
Thanks,
Tony
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 13.May2008 10:04:42 AM
|
|
|
pmcneill
Posts: 132
Joined: 18.May2005
Status: offline
|
We loaded this up on the weekend. From looking at my logs since then it seems to be catching a lot of this stuff, but it's missing a lot of it as well. We do not tag mail, so that's not the issue, and much of what it's missing does have the original email attached, and when you open it it's fairly obviously SPAM. Here's one example:
Subject: 85% off for ssinpatdd
Hello, make a wise decision, buy your medications from the most well-known shop.
http://www.google.it/pagead/iclk?sa=l&ai=upFack&num=67404&adurl=http://www.subaquatic.si/redir.html
Coupon #nzQx
dexter chi-wang
I had about 20 similar messages dumped in the "this is spam email" from a single user this morning. There are others with remote images that link to SPAM/Phishing sites that I'm sure would be caught by GFI if they weren't coming wrapped in an NDR, so this patch definitely needs some work. Better than nothing, as I do see 100s of them getting caught, but still not an acceptable rate of them getting through.
Can we get an estimate when a version release will be coming that will further address this issue please?
Thanks.
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 13.May2008 1:01:32 PM
|
|
|
nathanb
Posts: 2
Joined: 13.May2008
Status: offline
|
How about this as an NDR spam solution/feature request for GFI...
An NDR Rate limit feature. Where you basically control the rate of incoming NDRs, i.e. anything more than 2 an hour get dropped, etc. Most people want NDR functionality, but how often do you really need it?
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 13.May2008 1:04:36 PM
|
|
|
pmcneill
Posts: 132
Joined: 18.May2005
Status: offline
|
quote:
ORIGINAL: nathanb
How about this as an NDR spam solution/feature request for GFI...
An NDR Rate limit feature. Where you basically control the rate of incoming NDRs, i.e. anything more than 2 an hour get dropped, etc. Most people want NDR functionality, but how often do you really need it?
How do you decide which ones to drop? You'd end up accepting two bad NDRs generated by backscatter, and dropping the real NDR you actually wanted to get.
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 13.May2008 2:13:56 PM
|
|
|
nathanb
Posts: 2
Joined: 13.May2008
Status: offline
|
From what my company has seen so far, most of our customers issues seem to come in waves, where they will get a flood of NDRs for an afternoon, then they will be okay for a few days.
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 13.May2008 2:26:42 PM
|
|
|
pmcneill
Posts: 132
Joined: 18.May2005
Status: offline
|
Ya, we see the same thing. A new user every day gets slammed with 500 of them. By the time you get an Outlook rule in place to delete them, the "attack" is over. I just think you'd be just as well off to simply block all of them as hoping to get lucky picking and choosing based on volumes. Truly a pain in the butt. As one of the MVPs on the Exchange newsgroup indicated when asked what could be done to stop the flow of this stuff,
"Stop using email?"
Amazing how reliant we are on a fundamentally broken technology, and all the crap we have to drape over it (anti-spam, anti-virus, content filtering) to try (in vain it seems sometimes) to make it functional.
Anyway, just my little rant for the day. ;)
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 14.May2008 8:54:27 AM
|
|
|
coldax
Posts: 34
Joined: 21.Nov.2005
From: London
Status: offline
|
After installing the patch we've managed to kill of most of these. We're seeing some other strange results but nothing like what was going on before..
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 14.May2008 1:28:31 PM
|
|
|
pcecom
Posts: 16
Joined: 14.Apr.2005
Status: offline
|
I installed the patch a week ago. I am no longer receiving ANY NDR's even legit ones. I have checked all settings and cannot feigure out where they are going. GFI monitor is processing the legit NDR. Any ideas?
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 15.May2008 8:52:39 AM
|
|
|
MobiusYuger
Posts: 17
Joined: 5.May2005
From: Columbus, OH
Status: offline
|
After I upgraded to the latest version and installed the patch, it didn't seem to help. Just for kicks I rebooted the servers running GFi and the patch started working; stopping/starting the services didn't help.
The patch catches the NDRs that have the original spam email attached to them, but it misses those that do not. I believe Nicks or someone from GFi said the next release will catch those that do not have the original attachment as well.
My question now is, can GFi make this a separate anti-spam module so I can specify an explicit action to perform on the message (eg. delete, move, quarantine)?
Thanks,
Mobius
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 20.May2008 5:31:52 AM
|
|
|
Nicks
Posts: 2582
Joined: 17.Mar.2003
Status: offline
|
Hi all,
Yesterday we have released a new build which includes further updates related to NDR Spam or BackScatter. More information on the new build can be found at http://kbase.gfi.com/showarticle.asp?id=KBID003338.We have also updated the NDR Spam kb article (http://kbase.gfi.com/showarticle.asp?id=KBID003322) to reflect the changes that have been implemented in the new build.
Thanks once again to all who provided feedback on the forums regarding this issue, and we look forward to any feedback you may have after upgrading to the latest build.
< Message edited by Nicks -- 20.May2008 6:25:05 AM >
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 20.May2008 9:39:16 AM
|
|
|
pmcneill
Posts: 132
Joined: 18.May2005
Status: offline
|
Thanks Nick (and everyone else who worked on getting this put together)!
Read through the articles on this and it looks to be quite intelligently thought out. Look forward to hearing of user experiences with it.
Just as an FYI to some of your customers, there are a LOT of people on the Exchange newsgroups complaining about backscatter right now, and not a lot of solutions to the problem being suggested. The Microsoft MVPs (Exchange gurus) are basically throwing up their hands, giving a few little tips to mitigate it to some extent, but overall indicating that it's something you need to live with. If this new GFI build addresses the issue in a meaningful way then I think it will put the product in a rare class with regard to backscatter control, as there doesn't seem to be much out there addressing it in any comprehensive way.
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 20.May2008 11:15:09 AM
|
|
|
shield
Posts: 22
Joined: 20.Jul.2007
Status: offline
|
Hello everyone,
The 20080508 is up and running, no anomalies here so far. At the moment, I have "undelivered", "failed" etc in the KeyWord_checking, otherwise a lot of those things - with previous build+patch - made it through. Will check the new build's behaviour, maybe now it's more reliable.
Speaking about "NewSenders" - could GFI guys comment on that? Having read http://kbase.gfi.com/showarticle.asp?id=KBID003322, I still have a pair of quiestions:
1. How this new module is located in the chain of ME modules? I do not see it in the "Anti-Spam ordering". Could I assume it to be the last one?
2. I have NewSenders unchecked in the Configuration, AutoWhitelist is enabled, no NDRSpamNewSenders key in the registry.
According to the KB article, "The NewSenders module will start checking the recipient of the email attached to NDR message against the Auto Whitelist...This functionality is enabled by default, and can be disabled by setting the ‘NDRSpamNewSenders’ (dword) value to ‘0’. NewSenders does not need to be enabled in this GFI MailEssentials configuration for this feature to work". Sorry, which feature? And if NewSenders is not enabled, what this feature will do?
Best regards,
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 20.May2008 11:15:34 AM
|
|
|
andih98uk
Posts: 16
Joined: 31.Mar.2008
Status: offline
|
Just installed the new version and not found any problems yet, but will let you know when i have chance to have a play.
Good work again GFI, keep it coming!
Thanks
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 20.May2008 2:43:38 PM
|
|
|
kharris
Posts: 16
Joined: 10.Aug.2007
Status: offline
|
Yes, THANK YOU GFI!!
I installed the latest build yesterday and so far it is working great! It looks like it has virtually eliminated all backscatter for my users that continued to have a couple per day trickle through after the backscatter patch.
Just curious like shield, I don't see any of the registry values mentioned in KBID003322 (except for ase_scandsn). I do have all of the modules enabled, including New Senders.
Are these values only needed if wanted to disable a feature, and therefore I would manually create them? Again, thank you for your continued support and response to user concerns!
< Message edited by kharris -- 20.May2008 2:47:01 PM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
