"How to recover from a reverse NDR attack in Microsoft Exchange"
Not so much a note-to-self, this could be vital to everyone! Well, anyone who runs a Windows server with Exchange 5.5.
- Make sure it actually is a reverse DNS attack.
The most obvious sign is the outgoing mail queue filling with non-delivery reports (NDRs) from the "postmaster" account to email addresses that are obviously generated.
The queues are found in Exchange System Manager -> Administrative Groups -> Servers -> [Server name] -> Queues (but you knew that!). Literally thousands of these emails will be stored in the queue, some individual messages may be several megabytes in size. Consequently the hard disk on the server will fill up with these, as they cannot be routed by Exchange. - Create a Connector with an "*" SMTP address space (if you don't already have one)
This is in Exchange System Manager -> Connectors. If there is one already, write down all the settings so it can be restored, then add a "bad" IP address in square brackets (e.g. "[99.99.99.99]") to the Smart Hosts textbox. Click the Deliver Options tab, and tell it not to delivery until 11pm (or another time that isn't gonna happen soon).
This basically forces all un-routed mail into a single queue, instead of all those crazy separate domain queues from Taiwan/China/Korea/[insert major spamming nation]. - Find the SMTP Virtual Server
(Exchange System Manager -> Administrative Groups -> Servers -> [Server name] -> Protocols -> SMTP), right-click it and click Stop. Wait 10 minutes for it to stop, and a further 10 minutes for your co-workers to stop complaining that the Outlook 2003 clients are showing that their email is disconnected. Right-click it again and click Start.
The service will start up again, using the new mail delivery settings you just set. - Wait 10 minutes for it to start.
- While you're waiting...
...go to ftp://ftp.microsoft.com/pss/Tools/, then go in to the folders: Exchange Support Tools -> Aqadmcli. Download aqadmcli.exe and save it to your desktop - you're gonna use it a lot! - Ignore Microsoft's online tech support at this point.
They give some bullshit advice about waiting for the queue to fill and the NDRs to stop coming in before you clear the queue. Cute advice for saving a couple of genuine outgoing emails, but it's not gonna help out with your rapidly shrinking free hard disk space (and I bet you forgot to put your paging file on a separate partition, cos the cute guy at Dell said that you had enough RAM).
Instead, execute aqadmcli.exe and enter the command (no quotes) "delmsg flags=all". Memmorise this - you'll be entering it every few minutes until the queues are clear. What this does is purge all messages queued in the outgoing part of Exchange. This will obviously delete any genuine emails sent also: best keep this dirty little secret to yourself until the queue is clear, or you'll get complaining work colleagues asking when they can start sending email again (they'll keep sending mail until the cows come home, with the same logic and consequences as repeatedly sending documents to an offline printer). - Like I said, repeat. Until your queue is down to zero messages.
- Zero yet? Good.
Now change your connector back to what it was, or delete it if you didn't use one in the first place. Change mail delivery back to "Always Run". - Stop your server from relaying SMTP crap!
Make sure your connector has the "Allow messages to be routed to these domains" checkbox unchecked. Right-click your SMTP virtual server and select Properties. Click the Access tab, then Relay. Select "Only the list below". Make sure only the IP address of the server is in the list. Make sure the "Allow all computers which successfu....." checkbox is checked.
This stops the Exchange Server from "open relaying". - Congrats, you're done.
Now would be a good time to break the news to your work colleages that they'll have to resend any email they have sent in the past week. A true Kodak moment when their faces collapse in disbelief. Or maybe send an email to let them know, to gild the lily with sweet irony.