Came in this morning to 13000+ NDR messages. I was able to flush the queues after a few hours, but in the meantime the mail server was in turmoil. The subject appears to be in russian, but since I deleted all the NDR's I dont have an example, but I do have the sender ID from the find messages. Here is the puzzling part, "=?windows-1251?(random characters)=" <email@address> I have relay disabled, server is firewalled with a PIX so nothing can be done if you telnet externally to the server. Logs dont show anything except for the message tracking log was deleted about 53 minutes before the first message was sent. Since none of the messages actually were sent out, our server didnt get blacklisted. ANy help on this would be very much appreciated.

Could it have been a directory harvest attack? http://en.wikipedia.org/wiki/Directory_Harvest_Attack Or, it could certainly be someone with a virus that is not on your network but spoofing your domain.

I have seen this at (6) different offices, all with the same problem from the same location as described above. Have you heard of this being commonplace elsewhere?

exchange 2000 is vulnerable out of the box, you can use GFI Spam Filter or ORF or you can follow Microsoft article and fix it if you have access to visual basic 6. exchange 2003 - you need to enable recipient filtering and drop recipient emails who dont exist in AD. The people getting your NDR;s have the bigger problem but GFI came out with a patch, not sure what everyone else is doing. This is a HUGE problem that somehow is under the news radar for now. Matt B.

Yes, We are now seeing these type of SPAM for more then 4 different sites. We have disable NDR for now until a fix is out. If you have a fix or recommedation, please share. TIA http://www.yournewdesktop.com

I have one customer's server that at any given time has 10 - 30 zombies connected to it trying to do directory harvesting / dictionary spamming. A lot of people don't like real-time block lists, but a good, reasonably agressive RBL like Spamhaus (I use zen.spamhaus.org) can go a long way towards slowing these things down. Others don't like tarpits (that slow down invalid address acknowledgements), but they can slow down the attempted delivery of all this garbage, too.

Have to use this article - helps with everything from easily clearing out queues to checking your relays to NDR. One of the most productive 30 minutes of my admin career... http://www.amset.info/exchange/spam-cleanup.asp