Tuesday, November 28, 2006

Reverse NDR Attack - Outbound Email Not Being Delivered

Here is an article about problems with Outgoing Mail on Exchange 5.5. this is a solution I found while on the phone with a support call. This is a composite of a TekTips article and a Microsoft KB article.

What is a reverse NDR attack?

Spammers have a new means to avoid filters built into many systems. They take advantage of a mail systems sending of a non-delivery report (NDR) when a message cannot be delivered as addressed and returns the original contents.

How do I know that my server is suffering from a Reverse NDR attack?

There are several symptoms that you may see within the Microsoft Exchange Server Admin:- Outbound email is not being delivered (To view your outbound queue go to the properties of your Internet Mail Service connection, then click on the Queues tab and switch to outbound messages awaiting delivery)- Take note of the originator in the outbound queue, if you see <> under originator 99% of the time it will be a spam mail that has generated an NDR. If you see hundreds/thousands of these then you are most likely suffering a RNDR attack on your exchange server.

How do I clear the outbound queue?

I will explain how you can clear the outbound queue, but this will by no means resolve your issue as soon as the Internet Mail Service is started you will continue to resolve spam emails that generate NDRs on your system
(1) Stop the Internet Mail Service
(2) Go to the following directory path: (ie c:\exchsrvr\imcdata\out)
(3) Delete all files in this directory (each file is an email to be sent out, if you have users that are trying to send out there emails are in here also. You may need to advise them to resend emails that they just recently tried to send out, since they will most likely be deleted.)
(4) Delete the queue.dat file in the imcdata directory.
(5) Restart the Internet Mail Service

Here is Microsoft's KB article on how to resolve this issue:

Update available in Exchange Server 5.5 to control whether the Internet Mail Service suppresses or delivers NDRs

function loadTOCNode(){}
Article ID
Last Review
October 26, 2006

This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base: 256986

Description of the Microsoft Windows registry
var sectionFilter = "type != 'notice' && type != 'securedata' && type != 'querywords'";
var tocArrow = "/library/images/support/kbgraphics/public/en-us/downarrow.gif";
var depthLimit = 10;
var depth3Limit = 10;
var depth4Limit = 5;
var depth5Limit = 3;
var tocEntryMinimum = 1;

loadTOCNode(1, 'summary');
An update to Microsoft Exchange Server 5.5 is available that introduces a new feature that you can use to control how non-delivery reports (NDR) are processed by the Internet Mail Service. After you apply the hotfix that is described in this article, add the SuppressNDROptions registry entry to the following registry subkey. Then, set the SuppressNDROptions registry entry to the appropriate value, depending on whether you want the Internet Mail Service to suppress or deliver NDRs:

loadTOCNode(1, 'resolution');
Hotfix information
loadTOCNode(2, 'resolution');
A supported feature that modifies the default behavior of the product is now available from Microsoft, but it is only intended to modify the behavior that this article describes. Apply it only to systems that specifically need it. This feature may receive additional testing. Therefore, if you are not severely affected by the lack of this feature, we recommend that you wait for the next update that contains this feature.

loadTOCNode(3, 'resolution');
This hotfix requires Microsoft Exchange Server 5.5 Service Pack 4 (SP4).
Restart requirement
loadTOCNode(3, 'resolution');
You do not have to restart your computer after you apply this hotfix.
Hotfix replacement information
loadTOCNode(3, 'resolution');
This hotfix does not replace any other hotfixes.
File information
loadTOCNode(3, 'resolution');
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.Date Time Version Size File name

loadTOCNode(1, 'moreinformation');
After you apply the hotfix that is described in this article, add the SuppressNDROptions registry entry to the following registry subkey and then set the registry entry to the appropriate value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIMC\Parameters To configure the way that the Internet Mail Service processes NDRs: Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
1.Click Start, and then click Run.
2.In the Open box, type regedit, and then click OK.
3.Locate and then click the following registry subkey:
4.On the Edit menu, point to New, and then click DWORD Value.
5.Type SuppressNDROptions, and then press ENTER.
6.On the Edit menu, click Modify, and then follow these steps:
•Set the Base type to hexadecimal.
•To enable this feature so that the Internet Mail Service does not deliver NDRs, type 1 in the
Value data box.
•To enable this feature so that the Internet Mail Service does not generate NDRs, type 10 in the Value data box.
•To enable this feature so that the Internet Mail Service does not deliver any NDRs if an SMTP address is missing in the return address field, type 100 in the Value data box.Note If the SuppressNDROptions registry entry is either not present or if the registry entry is set to 0 (zero), the feature is not used.
7.Quit Registry Editor.
8.Restart the Internet Mail Service.For more information about how hotfix packages are named, click the following article number to view the article in the Microsoft Knowledge Base:

For Exchange 5.5 Server Support Click Here.

Monday, November 20, 2006

Exchange Server Backup: Using Windows Native Backup

Here is the first of John Best's Exchange Server tutorials. John is DTI's Exchange Data Recovery Chief Engineer. Learn more about John and DTI at our Data Recovery Software Blog.
This first post is on how to use Native Windows backup to backup your Exchange Server.


This article describes how to back up your Microsoft Exchange 2000 or later database using Microsoft Windows Backup Utility. In my line of work, I see far too many exchange servers that have absolutely no back up strategy in place. Out of all the corrupt databases I recover, virtually every recovery could have been avoided if the administrator would have set up an automated backup that ran nightly

Windows 2000 and 2003 Server include a backup utility that becomes updated and capable of performing an online exchange backup after Exchange 2000 has been installed. Backing up your exchange database also flushes transaction logs that have been committed to the database, freeing up disk space. Each transaction log is 5 megabytes and exchange can generate a lot of them depending on how many transactions are taking place. I have seen exchange servers with thousands of unneeded log files. It is extremely important that these log files are not deleted manually. Allow the backup program to flush them.

To backup your exchange server:

1. Click Start > Programs > Accessories > System Tools > and click Backup
2. If backup starts in wizard mode, select advanced.
3. Click on the Tools tab and select “Backup Wizard”
4. On the Welcome screen, click Next
5. Choose Back up selected files, drives, or network data

exchange backup

6. On the Items to Back Up screen, click the plus sign next to Microsoft Exchange Server, then on the name of your server, and then click your storage group (which is named First Storage Group by default).

exchange server backup wizard1

7. Here you should see the Mailbox store and Public Folder Store are both selected.

exchange server backup wizard 1

8. After clicking next, you will see the Backup Type, Destination, and Name screen. Here you can choose to backup to a device such as a tape drive or to a file as I have chosen here:

exchange server backup wizard 2

9. Click Next.

10. On the Competing the Backup Wizard window, you could click finish to start the job right away. But for this guide we will choose the Advanced button.

exchange server backup wizard 3

11. Be sure the type of backup is set to Normal. Click Next.

exchange server backup wizard 4

12. On the next window you will choose to either append or replace. Keep in mind that if you choose append, the file may grow very large on an automated schedule. If you choose replace, the file will be completely overwritten. I normally choose replace and then setup two alternating backup jobs. This way, I always have a backup file if the server crashes during a backup.

exchange server backup wizard 5

13. Click Next.

14. On the next screen we can choose to run the backup now or schedule it for later. Choose Later.

exchange server backup wizard 6

15. Give the backup job a name. Then click the Set Schedule button. The schedule job settings window appears. You could set your backup to run every weekday at night or whenever works best for you.

16. Click OK.

exchange server backup wizard 7

17. We should be back to the When to Back Up window. Verify the correct start date and click Next.

exchange server backup wizard 8

18. It will then ask you for the proper credentials that this job will run under. Be sure to use an account that has administrative permissions.

19. Click OK.

exchange server backup wizard 9

20. On the Completing the Backup Wizard screen, click Finish to schedule the backup job.

21. Verify the job has been set to run by clicking Start > Programs > Accessories > System Tools > and Scheduled Tasks.

22. You should see your task scheduled with the dates and time to run.

23. You can check on your backup jobs by opening the Backup Utility and going to Tools > Report to view the details of each job. Also check your backup directory to make sure the backup file has been created and the modified date is set to the last backup day.

It is not enough to just create the backup job and trust it will run forever. You need to constantly check that your backup is running. You should also check your event viewer logs to make sure there are no problems occurring during the backup.

exchange server backup wizard 10

This guide is a very simple backup strategy intended for administrators that currently have NO backup strategy in place. Any backup is better than NO backup. I highly recommend that in a mission critical environment, better backup software be purchased and a better backup strategy using both tapes as well as backup files be put into place.
Hard Drive Recovery

Hard Drive Recovery