# Exchange 2003 Smarthost NDR Loop



## HightowerFL (Nov 6, 2009)

My client uses an 2003 exchange server with a smarthost. It has worked flawlessly for years until the 1st of the month. They noticed that their connection speed to the internet had dramatically decreased. It was so slow that I could not remote into the server. My connection would time out.

I went onsite and saw that the SMTP service was using huge amounts of memory and the Messages Qued for deferred delivery had thousands of messages waiting to be sent. I also went into the mailroot folder and found over 20,000 messages sitting in the Que folder.

After checking the message headers in all of the Qued messages I came to the conclusion that a spammer forged the sender and return path information that matched that of my clients domain. The email addresses the spammer forged don't exist on my clients domain and they are not on the smarthost's either.

This has created an NDR loop between the exchange server and the Smarthost's mail server (unix based). Essentially someone sent out a bunch of spam probably as a BCC and addressed the To field to [email protected] and made the return path [email protected] . Then each spam message comes into the smarthost's server looking for [email protected] The smarthost doesn't recognize the mailbox name and forwards it to the exchange server. The exchange server doesn't recognize the name and tries to send an NDR to the sender (who's name is forged and points right back to the same domain) Then the smarthost tries to send the NDR back to the exchange server. Take that and times it by however spams the spammer sent and it's a good way to mess up an exchange server.

Here is an example of the header info:

Return-path: <[email protected]>
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4Kt7-0007Qd-4e
for [email protected]; Sat, 31 Oct 2009 16:49:29 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 16:39:28 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4KjP-0003NP-V0
for [email protected]; Sat, 31 Oct 2009 16:39:28 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 16:29:27 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4KZi-0007hM-MH
for [email protected]; Sat, 31 Oct 2009 16:29:26 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 16:19:26 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4KQ1-0003bH-Gl
for [email protected]; Sat, 31 Oct 2009 16:19:25 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 16:09:24 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4KGJ-0007sZ-Hc
for [email protected]; Sat, 31 Oct 2009 16:09:23 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 15:59:22 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4K6c-0003tI-DZ
for [email protected]; Sat, 31 Oct 2009 15:59:22 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 15:49:21 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4Jwv-0008Lp-9U
for [email protected]; Sat, 31 Oct 2009 15:49:21 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 15:39:20 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4JnE-0004Rd-5H
for [email protected]; Sat, 31 Oct 2009 15:39:20 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 15:29:18 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4JdW-0000aV-1W
for [email protected]; Sat, 31 Oct 2009 15:29:18 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 15:19:17 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4JTp-0005FZ-0f
for [email protected]; Sat, 31 Oct 2009 15:19:17 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 15:09:16 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4JK7-0001Sb-Vv
for [email protected]; Sat, 31 Oct 2009 15:09:16 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 14:59:15 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4JAQ-00056i-Tm
for [email protected]; Sat, 31 Oct 2009 14:59:15 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 14:49:14 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4J0j-0002MV-Sh
for [email protected]; Sat, 31 Oct 2009 14:49:14 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 14:39:13 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4Ir2-00074c-SX
for [email protected]; Sat, 31 Oct 2009 14:39:13 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 14:39:12 -0400
Received: from adsl-074-247-xxx-xxx.sip.dab.bellsouth.net
([74.247.XXX.XXX] helo=mail.company.com)
by localhost.localdomain with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4Ir1-00074R-U7
for [email protected]; Sat, 31 Oct 2009 14:39:12 -0400
Received: from maxmail.tntmax.com ([69.27.238.3]) by mail.company.com
with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 31 Oct 2009 14:39:10 -0400
Received: from [89.241.115.139] (helo=alexmann.com)
by localhost.localdomain with smtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1N4Iqx-00073d-C9
for [email protected]; Sat, 31 Oct 2009 14:39:10 -0400
To: <[email protected]>
Subject: Your order 7741
From: <[email protected]>

In exchanges system manager I used sender filtering to block [email protected] and my clients server started behaving again. they were able to send and receive no problem. But about a day after I did that the smarthost called saying that their exchange server had a problem and was slowing down their unix mail server.

Also note that the Smarthost has mailboxes on their system for all the users in the domain
that the uses can access through the web.

So what do you think is my best option?

Disable Non-delivery reports in global settings or should I create a mailbox for the non-existing user and take in all the messages to end the loop.


----------



## Rockn (Jul 29, 2001)

It sounds like the smarthost should do something if the email address does not exist on your clients domain. They are in essence the email gateway and should offer some sort of blocking of email addresses that do not exist or do not originate from the customer domain.


----------



## HightowerFL (Nov 6, 2009)

Well the solution was to disable NDR's on the exchange server. The smarthost provider moved the smart host to a different IP address and all is going well. Of course, you are not suppose to disable NDR's but that seemed to be the only solution in this case.


----------

