Phone Lines icon GFI Support Home

Articles in this section

See more

A user is compromised and receiving a lot of NDR messages

Author: Andrei Bogdan Apostol Updated

Overview

One user keeps getting NDR messages and your domain is blocked by other email servers. This user is also sending spam out although the password has been changed and the NDR reports have been disabled in Exchange. The user has a large number of emails for different addresses that have not been sent yet. The postmaster receives the following message:

Delivery has failed to these recipients or groups:
The server has tried to deliver this message, without success, and has stopped trying. Please try sending this message again. If the problem continues, contact your helpdesk.

Solution

This issue is consistent with a backscattered NDR attack. With tracing enabled, the log below shows the following:

<GFI MailEssentials installation path>\GFI\MailEssentials\Antispam\DebugLogs\ase_header_check.gfi_log.txt

2020-08-30,04:58:23,209,1,"#00000f28","#000010fc","info  ","ase_header_check","[ID:3] Check: Matching TO - Block Report: Email has different SMTP TO: and MIME TO: fields in the email addresses"
2020-08-30,04:58:23,209,1,"#00000f28","#000010fc","info  ","ase_header_check","[ID:4] Check: Malformed Email - Block Report: Email header contains a malformed MIME From: field"

To prevent this issue, please check your Directory Harvesting configuration as described in How to prevent a Reverse NDR Attack.

Additionally, please perform the following steps to ensure that the issue is solved: 

  • Open the MailEssentials Configuration UI.
  • Navigate to Content Filtering > Advanced Content Filtering.
  • Create rule to filter incoming NDRs:
    1. Click Add rule.
    2. Name the rule: Block Return-Path: <>.
    3. Set the conditions to Headers and Contains 
    4. Paste Return-Path: <> into the blank box.
    5. Set this to Check inbound emails only
    6. Click Apply.
    7. Check the box next to the rule you created and click Enabled selected.
    8. Click Apply.
    9. Click the name of your new rule and click the Actions tab.
    10. Set this to Delete
    11. Uncheck Notify administrator and Notify local user.
    12. Click Apply.
  • Create rule to filter out outbound NDRs:
    1. Click Add rule.
    2. Name the rule: X-MS-Exchange-Message-Is-Ndr.
    3. Set the conditions to Headers and Contains 
    4. Paste X-MS-Exchange-Message-Is-Ndr into the blank box.
    5. Set this to Check outbound emails only
    6. Click Apply.
    7. Check the box next to the rule you created and click Enabled selected.
    8. Click Apply.
    9. Click the name of your new rule and click the Actions tab.
    10. Set this to Delete
    11. Uncheck Notify administrator and Notify local user.
    12. Click Apply.
  • As a precaution, make sure that the user's credentials have been updated and that the Exchange server has been restarted.

These NDR messages should now be blocked and deleted.

Note

This configuration will apply to all NDRs.

You can further limit malicious emails by ensuring the following settings are enabled in the Header Checking filter:

  1.  Open the MailEssentials Configuration UI
  2. Navigate to Anti-Spam > Anti-Spam Filters > Header Checking.
  3. In the General tab, ensure the following options are selected:

    • Check if the email header contains an empty MIME FROM: field.

    • Check if the email header contains a malformed MIME FROM: field.

    • Check if the email headers contain different SMTP TO: and MIME TO: fields.

Testing

Applying the steps above should stop the NDR attack and prevent it from happening.

Related articles