IIS and SMTP - IIS 5's SMTP and Stopping NDR's ?

This is Interesting: Free IT Magazines  
Home > Archive > IIS and SMTP > June 2007 > IIS 5's SMTP and Stopping NDR's ?





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author IIS 5's SMTP and Stopping NDR's ?
Dave Onex

2007-05-25, 1:23 am

Hi Folks;

I'm running IIS 5.0 on Windows 2000 AdvSrvr and am wondering how I can get
it to stop sending NDR reports. What's happening is that a lot of people
send SPAM to my server (to non-existent addresses) and then the SMTP service
sends an NDR back to them to let them know that the account does not exist.

The problem is that they never use a real address and so it's all just a
waste of traffic. Is there a way to stop IIS's SMTP service from sending
NDR's ?

Thanks!
Dave


Sanford Whiteman

2007-05-26, 7:20 am

> What's happening is that a lot of people
> send SPAM to my server (to non-existent addresses)...

There is little reason for a contemporary MX to accept mail for
non-existent addresses. Your problem starts there. What is it that
prevents you from loading a recipient list and using a transport event
sink to reject at the connection level?

The issue of suppressing NDRs -- accepting, then later bit-bucketing,
messages firmly identified as spam -- is different. That's the "Bouncing
spam is bad netizenship/bouncing spam makes you complicit in Joe Jobs" vs.
"Not bouncing undelivered messages breaks the RFCs/you can never be sure
enough of spamminess" debate. *That* debate has swung strongly in favor
of the first position for several years.

--Sandy

Dave Onex

2007-05-26, 7:22 pm


"Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote
in message news:op.tsw7zyv46c17zw@gw02.broadleaf.local...
>
> There is little reason for a contemporary MX to accept mail for
> non-existent addresses. Your problem starts there. What is it that
> prevents you from loading a recipient list and using a transport event
> sink to reject at the connection level?

I didn't know that could be done. Can you elaborate on how this is
accomplished using Exchange 2000 and
a separate SMTP machine as a relay? If I can get the mail server to just
reject all connection attempts to non-existant mailboxes that would be a lot
better :-)

>
> The issue of suppressing NDRs -- accepting, then later bit-bucketing,
> messages firmly identified as spam -- is different. That's the "Bouncing
> spam is bad netizenship/bouncing spam makes you complicit in Joe Jobs" vs.
> "Not bouncing undelivered messages breaks the RFCs/you can never be sure
> enough of spamminess" debate. *That* debate has swung strongly in favor
> of the first position for several years.

I don't know much about that - all I know is that my IIS 5 SMTP machine is
kindly sending NDR reports for every email it receives that is not addressed
to an existing mailbox. Of course, the account used to send the mail does
not exist so it's a waste for everyone.

>
> --Sandy
>


Sanford Whiteman

2007-05-26, 7:22 pm

> I didn't know that could be done. Can you elaborate on how this is
> accomplished using Exchange 2000 and
> a separate SMTP machine as a relay? If I can get the mail server to just
> reject all connection attempts to non-existant mailboxes that would be a
> lot
> better :-)

5xxSink is a transport event sink specifically designed for the rejection
of
unknown recipients at the MX.

Download:

http://www.imprimia.com/products/so...ownload/release

Be sure to go over the README and RELNOTES in-depth.

> I don't know much about that - all I know is that my IIS 5 SMTP machine
> is
> kindly sending NDR reports for every email it receives that is not
> addressed
> to an existing mailbox. Of course, the account used to send the mail does
> not exist so it's a waste for everyone.

Quite so. For you, the waste is abetted by accepting the mail in the
first place. *Just* because something was sent to a nonexistent
mailbox doesn't mean it was spam -- as such user errors occur, in
small but non-negligible quantity, all the time.

Your server is absolutely correct to generate an NDR by default, in
the absence of any spam detection at that level. When the sender is
legit, the NDR is invaluable.

When the sender is forged or does not exist, the NDR is extremely
problematic, one the first hand making you complicit in Joe Jobs, and
on the second resulting in postmaster messages (double-bounce
notifications).

--Sandy
Dave Onex

2007-05-26, 7:22 pm


"Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote
in message news:op.tsx98ybz6c17zw@gw02.broadleaf.local...
>
> 5xxSink is a transport event sink specifically designed for the rejection
> of
> unknown recipients at the MX.
>
> Download:
>
>
http://www.imprimia.com/products/so...ownload/release
>
> Be sure to go over the README and RELNOTES in-depth.

Thanks for the link - it's exactly what I'm after and as you've pointed out
(and educated me in the process) it's the preferred solution :-)

Funny thing - when I copy and paste the following I got an error (due to
syntax)

cscript smtpreg.vbs /add 1 oninboundcommand 5xxsink
5xxsink.sink "rcpt"

but when I manually entered the command it worked :-)

>
does[vbcol=seagreen]
>
> Quite so. For you, the waste is abetted by accepting the mail in the
> first place. *Just* because something was sent to a nonexistent
> mailbox doesn't mean it was spam -- as such user errors occur, in
> small but non-negligible quantity, all the time.

Agreed - although you know more about this then I do :-)

>
> Your server is absolutely correct to generate an NDR by default, in
> the absence of any spam detection at that level. When the sender is
> legit, the NDR is invaluable.

Agreed - it would be a shame to cut that functionality due to spam

>
> When the sender is forged or does not exist, the NDR is extremely
> problematic, one the first hand making you complicit in Joe Jobs, and
> on the second resulting in postmaster messages (double-bounce
> notifications).

But not anymore..... :-)
Thank you very much Sandy - I appreciate the education and also the better
way to resolve the issue. Much appreciated!

>
> --Sandy


Dave Onex

2007-05-26, 7:22 pm

Hi Sandy - I might have spoken too soon :-0

I noticed after installing 5xxxsink no mail was flowing either in or our of
the server. Careful checking showed these errors in the event log;

Event ID 7031
The IIS Admin Service service terminated unexpectedly. It has done this 13
time(s). The following corrective action will be taken in 1 milliseconds:
Run the configured recovery program.

Event ID 7031
The Simple Mail Transport Protocol (SMTP) service terminated unexpectedly.
It has done this 13 time(s). The following corrective action will be taken
in 0 milliseconds: No action.

Event ID 7031
The World Wide Web Publishing Service service terminated unexpectedly. It
has done this 12 time(s). The following corrective action will be taken in 0
milliseconds: No action.

Event ID 2
IIS stop command received from user NT AUTHORITY\SYSTEM. The logged data is
the status code.
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.

Event ID 1
IIS start command received from user NT AUTHORITY\SYSTEM. The logged data is
the status code.
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.

and then they start over again. Un-installing 5xxsink re-enabled mail to
flow again and stopped the error logs from filling up with these messages.

Any ideas on why that would happen? I'm running Windows 2000 AS with all
updates installed.



"Dave Onex" <dave@onex.com> wrote in message
news:uYUm529nHHA.4424@TK2MSFTNGP03.phx.gbl...
>
> "Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote
> in message news:op.tsx98ybz6c17zw@gw02.broadleaf.local...
just[vbcol=seagreen]
a[vbcol=seagreen]
rejection[vbcol=seagreen]
>
http://www.imprimia.com/products/so...ownload/release
>
> Thanks for the link - it's exactly what I'm after and as you've pointed
out
> (and educated me in the process) it's the preferred solution :-)
>
> Funny thing - when I copy and paste the following I got an error (due to
> syntax)
>
> cscript smtpreg.vbs /add 1 oninboundcommand 5xxsink
> 5xxsink.sink "rcpt"
>
> but when I manually entered the command it worked :-)
>
machine[vbcol=seagreen]
> does
>
> Agreed - although you know more about this then I do :-)
>
>
> Agreed - it would be a shame to cut that functionality due to spam
>
>
> But not anymore..... :-)
> Thank you very much Sandy - I appreciate the education and also the better
> way to resolve the issue. Much appreciated!
>
>
>


Sanford Whiteman

2007-05-26, 7:22 pm

> Any ideas on why that would happen? I'm running Windows 2000 AS with all
> updates installed.

Did you make sure you have the two files prescan.txt and rcptlist.txt in
place in the expected location?

I'm not aware of any known issues with the current release.

--Sandy
Sanford Whiteman

2007-05-26, 7:22 pm

> Funny thing - when I copy and paste the following I got an error (due to
> syntax)
>
> cscript smtpreg.vbs /add 1 oninboundcommand 5xxsink
> 5xxsink.sink "rcpt"
>
> but when I manually entered the command it worked :-)

There are CRLFs in the manual (due to wrapping) which will make the
command unparseable if you cut-and-paste.

--Sandy
Dave Onex

2007-05-27, 1:21 am

Aha! That was it.I just followed the steps in the readme without really
looking closely at the relnotes file so I missed the requirement for the
prescan.txt file :-)

Thanks for your help with solving this issue - I've tested it a number of
different ways and it's good now and doing exactly what I was after. Have a
great weekend!

Best;
Dave



"Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote
in message news:op.tsyg1l0e6c17zw@gw02.broadleaf.local...
>
> Did you make sure you have the two files prescan.txt and rcptlist.txt in
> place in the expected location?
>
> I'm not aware of any known issues with the current release.
>
> --Sandy


Sanford Whiteman

2007-05-27, 1:21 am

> Thanks for your help with solving this issue - I've tested it a number of
> different ways and it's good now and doing exactly what I was after.

Excellent. Enjoy.

--Sandy
Dave Onex

2007-05-29, 7:20 pm

Hi Sandy;

I think I spoke too soon again - doh!

I checked the IIS 5 SMTP server today and it's still sending NDR's to people
who try to send mail to a non-existant mailbox.
I checked the prescan.txt file and it contains only a list of my domains
(ie: @someone.net) each one on a separate line with a CR at the end. The
rcptlist.txt file only contains the 4 email addresses that are actually
valid for my Exchange server.

Yet the Queue folder contains several hundred emails. Looking closer at them
shows they are NDR reports for emails sent to non-existant users (one's not
listed in the rcptlist.txt file).

My understanding was that the sink program dropped all connections when they
tried to send mail to a non-existant user. Maybe I misunderstood or have
configured something incorrectly?

Any ideas on what I've done wrong?


"Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote
in message news:op.tsyqupnf6c17zw@gw02.broadleaf.local...
of[vbcol=seagreen]
>
> Excellent. Enjoy.
>
> --Sandy


Sanford Whiteman

2007-05-29, 7:20 pm

> My understanding was that the sink program dropped all connections when
> they
> tried to send mail to a non-existant user. Maybe I misunderstood or have
> configured something incorrectly?

Your understanding is correct! But obviously something is wrong in your
installation.

First, does your server only allow relaying to those same domains (this
setting is at the IIS level)?

Second, what do you see in your logs for these sessions?

Contact me off-list if you want and we can get this fixed up. I'm going
out of town for a few days starting tomorrow, so the sooner, the better.

--Sandy
Dave Onex

2007-05-29, 7:20 pm

Hi Sandy!

Edited in line below :-)

"Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote
in message news:op.ts32iljj6c17zw@gw02.broadleaf.local...
>
> Your understanding is correct! But obviously something is wrong in your
> installation.

That wouldn't surprise me :-) I re-checked to ensure the dll is regeistered
(it is) as well as the BINDing - it is. Also the two files exist and are
properly set so it's got to be me :-)

>
> First, does your server only allow relaying to those same domains (this
> setting is at the IIS level)?

I set up the server to allow relaying for anyone in the 192.168.1.0 -- .255
class c set rather then by domain. I'm just about the only person on the
network so it should be safe (as far as someone using my SMTP server as a
relay).

>
> Second, what do you see in your logs for these sessions?

Here's an example of someone using aqvdgkqrgo as the user (which does not
exist). That same username is spread throughout my logs like you wouldn't
believe :-(

The background on the network is this;

Firewall ---> IIS5 SMTP machine ---> Exchange Server (with SMTP connector
going to the IP Address of the IIS5 Machine)

2007-05-27 21:23:25 68.163.220.23 pool-68-163-220-23.bos.east.verizon.net
SMTPSVC1 DB 192.168.1.70 0 HELO - +pool-68-163-220-23.bos.east.verizon.net
250 0 43 44 172 SMTP - - - -
2007-05-27 21:23:25 68.163.220.23 pool-68-163-220-23.bos.east.verizon.net
SMTPSVC1 DB 192.168.1.70 0 MAIL - +FROM:+<sales@rotcev.com> 250 0 41 29 0
SMTP - - - -
2007-05-27 21:23:25 68.163.220.23 pool-68-163-220-23.bos.east.verizon.net
SMTPSVC1 DB 192.168.1.70 0 RCPT - +TO:+<aqvdgkqrgo@askmarvin.ca> 250 0 36 34
0 SMTP - - - -
2007-05-27 21:23:26 68.163.220.23 pool-68-163-220-23.bos.east.verizon.net
SMTPSVC1 DB 192.168.1.70 0 DATA -
+<750a01c7a0a4$057a7169$17dca344@pool-68-163-220-23.bos.east.verizon.net>
250 0 156 834 359 SMTP - - - -
2007-05-27 21:23:26 68.163.220.23 pool-68-163-220-23.bos.east.verizon.net
SMTPSVC1 DB 192.168.1.70 0 QUIT - pool-68-163-220-23.bos.east.verizon.net
240 1625 64 4 0 SMTP - - - -

>
> Contact me off-list if you want and we can get this fixed up. I'm going
> out of town for a few days starting tomorrow, so the sooner, the better.

No worries - I can wait too :-)

>
> --Sandy


Sanford Whiteman

2007-06-07, 7:23 pm

>> Contact me off-list if you want and we can get this fixed up. I'm going
>
> No worries - I can wait too :-)

Dave, let's get this done. Contact me off-list so we can talk more about
your environment.

--Sandy


Dave Onex

2007-06-08, 1:19 am

Hi Sandy;

I sent you an email about it - maybe you missed it?
I'll re-send it :-)

Thanks!

"Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote
in message news:op.ttkmvdgb6c17zw@gw02.broadleaf.local...
going[vbcol=seagreen]
better.[vbcol=seagreen]
>
> Dave, let's get this done. Contact me off-list so we can talk more about
> your environment.
>
> --Sandy
>
>


Sanford Whiteman

2007-06-09, 7:18 pm

>> Dave, let's get this done. Contact me off-list so we can talk more[vbcol=seagreen]

If anybody's listening: Marvin & I discovered he had some extra newlines
in the RCPTLIST.TXT. That was it -- simple fix.

--Sandy
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com