PureMessage for Microsoft Exchange: Dealing with NDR spam (RNDR attacks)

  • Article ID: 36854
  • Rating:
  • 1 customers rated this article 1.0 out of 6
  • Updated: 24 Oct 2008

This article discusses a method of using PureMessage for Microsoft Exchange to quarantine ALL Backscatter/NDR spam messages and quarantine them on the basis of a phrase or word.

What to do

Open the PureMessage Console:

  1. Go to Configuration | Transport (SMTP) scanning policy | Content | Inbound messages.
  2. Under 'Inbound messages', click on 'On blocked phrase'  | Define.
  3. Click on the 'Regular Expression' tab and click the 'Import...' button.
  4. Browse to the file location of the saved regex file (see regex samples below) and click the 'Open' button.
  5. Click on the 'String (wildcards supported)' tab.
  6. Click 'Add' and type in a phrase found within the NDR messages (see the examples list below for common entries) and click 'OK'.
  7. Repeat the above step to add multiple phrases.
  8. Set the action to 'Quarantine Message' and click on 'Save Changes' on the right hand side of the PureMessage Console.

Ensure that the 'On blocked phrase' check-box is enabled and the Inbound Messages scan is set to 'ON'.

Example Phrases:
"invalid recipient"
"was considered as an unsolicited message"
"did not reach the following recipient(s)"

You must be aware that the above rule may capture legitimate NDRs from valid mail servers.  Please be sure to review those messages if you are going to be quaranting NDR messages.


Example Regular Expressions:
Save each bullet point as a separate line inside of a plain text file onto your desktop.  There are six regular expressions in which you can add to the policy.  Make sure that there are no line breaks when saving your file.

  • \s{0,3}(?=[egnu])(e-mail addressing error|Google Groups: No such group|NDN:|No valid recipient in|Undeliver(?:able|ed)(?::| Mail| messages)|Unzustellbar: Ihre Nachricht konnte nicht zugestellt werden)
  • ^\s{0,3}multipart\/report; report-type=delivery-status;
  • ^\s{0,3}message\/delivery-status;
  • (?=[dfmyru])(?:Delivery (?:error|Fail(?:ed|ure)|Notification|report|status|unsuccessful)|failure notice|?:mail|message|Your e-mail) (?:could not be delivered|not delivered|undeliver(?:able|ed))|returned mail)
  • (?=[adelmrst])(?:addresses had delivery problems|(?:address|message) had (?:a )?(?:permanent fatal|transient non-fatal) (?:delivery )?errors?|Delivery Failure Report|Delivery has failed to these recipients or distribution lists:|errori permanenti|Likely reason for failure:|mistyped the email address or used a removed one|reached an invalid mailbox|Status: 5\.[17]\.1|This is an automatically generated Delivery Status Notification|this mailing list does not accept submissions by email|This Message was undeliverable due to the following reason:)
  • (?=[mp])(?:mail administrator|Mailer-Daemon|postmaster\@)

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments