Reverse NDR Attack - Outbound Email Not Being Delivered

Here is an article about problems with Outgoing Mail on Exchange 5.5. this is a solution I found while on the phone with a support call. This is a composite of a TekTips article and a Microsoft KB article.

What is a reverse NDR attack?

Spammers have a new means to avoid filters built into many systems. They take advantage of a mail systems sending of a non-delivery report (NDR) when a message cannot be delivered as addressed and returns the original contents.

How do I know that my server is suffering from a Reverse NDR attack?

There are several symptoms that you may see within the Microsoft Exchange Server Admin:- Outbound email is not being delivered (To view your outbound queue go to the properties of your Internet Mail Service connection, then click on the Queues tab and switch to outbound messages awaiting delivery)- Take note of the originator in the outbound queue, if you see <> under originator 99% of the time it will be a spam mail that has generated an NDR. If you see hundreds/thousands of these then you are most likely suffering a RNDR attack on your exchange server.

How do I clear the outbound queue?

I will explain how you can clear the outbound queue, but this will by no means resolve your issue as soon as the Internet Mail Service is started you will continue to resolve spam emails that generate NDRs on your system
(1) Stop the Internet Mail Service
(2) Go to the following directory path: (ie c:\exchsrvr\imcdata\out)
(3) Delete all files in this directory (each file is an email to be sent out, if you have users that are trying to send out there emails are in here also. You may need to advise them to resend emails that they just recently tried to send out, since they will most likely be deleted.)
(4) Delete the queue.dat file in the imcdata directory.
(5) Restart the Internet Mail Service

Here is Microsoft's KB article on how to resolve this issue:

Update available in Exchange Server 5.5 to control whether the Internet Mail Service suppresses or delivers NDRs

function loadTOCNode(){}
Article ID
:
837794
Last Review
:
October 26, 2006
Revision
:
6.1
Important:

This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base: 256986

Description of the Microsoft Windows registry
var sectionFilter = "type != 'notice' && type != 'securedata' && type != 'querywords'";
var tocArrow = "/library/images/support/kbgraphics/public/en-us/downarrow.gif";
var depthLimit = 10;
var depth3Limit = 10;
var depth4Limit = 5;
var depth5Limit = 3;
var tocEntryMinimum = 1;

SUMMARY
loadTOCNode(1, 'summary');
An update to Microsoft Exchange Server 5.5 is available that introduces a new feature that you can use to control how non-delivery reports (NDR) are processed by the Internet Mail Service. After you apply the hotfix that is described in this article, add the SuppressNDROptions registry entry to the following registry subkey. Then, set the SuppressNDROptions registry entry to the appropriate value, depending on whether you want the Internet Mail Service to suppress or deliver NDRs:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIMC\Parameters

RESOLUTION
loadTOCNode(1, 'resolution');
Hotfix information
loadTOCNode(2, 'resolution');
A supported feature that modifies the default behavior of the product is now available from Microsoft, but it is only intended to modify the behavior that this article describes. Apply it only to systems that specifically need it. This feature may receive additional testing. Therefore, if you are not severely affected by the lack of this feature, we recommend that you wait for the next update that contains this feature.

Prerequisites
loadTOCNode(3, 'resolution');
This hotfix requires Microsoft Exchange Server 5.5 Service Pack 4 (SP4).
Restart requirement
loadTOCNode(3, 'resolution');
You do not have to restart your computer after you apply this hotfix.
Hotfix replacement information
loadTOCNode(3, 'resolution');
This hotfix does not replace any other hotfixes.
File information
loadTOCNode(3, 'resolution');
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.Date Time Version Size File name


MORE INFORMATION
loadTOCNode(1, 'moreinformation');
After you apply the hotfix that is described in this article, add the SuppressNDROptions registry entry to the following registry subkey and then set the registry entry to the appropriate value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIMC\Parameters To configure the way that the Internet Mail Service processes NDRs: Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
1.Click Start, and then click Run.
2.In the Open box, type regedit, and then click OK.
3.Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIMC\Parameters
4.On the Edit menu, point to New, and then click DWORD Value.
5.Type SuppressNDROptions, and then press ENTER.
6.On the Edit menu, click Modify, and then follow these steps:
•Set the Base type to hexadecimal.
•To enable this feature so that the Internet Mail Service does not deliver NDRs, type 1 in the
Value data box.
•To enable this feature so that the Internet Mail Service does not generate NDRs, type 10 in the Value data box.
•To enable this feature so that the Internet Mail Service does not deliver any NDRs if an SMTP address is missing in the return address field, type 100 in the Value data box.Note If the SuppressNDROptions registry entry is either not present or if the registry entry is set to 0 (zero), the feature is not used.
7.Quit Registry Editor.
8.Restart the Internet Mail Service.For more information about how hotfix packages are named, click the following article number to view the article in the Microsoft Knowledge Base:
817903

For Exchange 5.5 Server Support Click Here.