General discussion

Locked

GW 5.5 can't stop NDR attack

By P. Dickason, CNE, MCSE, CCA ·
We have GW 5.5 (not sure of the service pack but the modules are ver 5.55) and someone is NDR attacking us. I see hundreds of messages coming in on the GWIA screen and the same amount of status messages being sent out. My problem is that I have all of this turned off but it is still happening so much so that no mail can be sent out. I have in the gwia.cfg file /norouting and also /badmsg-neither. I also have in the optional gateway settings Outbound Status Level set to None and Correlation Enabled set to No. I don't understand how this is still happening and I cannot find anything in the knowledgebase about the subject. Please help.
Thanks
Pete

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by pierrejamme In reply to GW 5.5 can't stop NDR att ...

This wa new to me, didn't think we had to worry about stuff like that with GW. We have GW6.5 and haven't experienced yet. We are running Spamassasin, and Razor on Linux prior to GW box so have escaped so far.
I found the following info and you may have seen it also:
Similar discussion with Exchange at:
http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/15/pid/10/qid/725829
The remedy they are suggesting:
http://www.cmsconnect.com/Praetor/RNDR/prRNDR.htm
that person says they are using the trial software and seems to be working. I don't know if it will protect GW or not.
I'll be watching your post. good Luck,
peter

Collapse -

by P. Dickason, CNE, MCSE, CCA In reply to

Poster rated this answer.

Collapse -

by Oz_Media In reply to GW 5.5 can't stop NDR att ...

Do yourslef a favour.

Beginfinite writes an awsome program called GWAVA.
It is the ULTIMATE SPAM catcher and runs your AV product scans before passing email to the MTA. Email is scanned and flagged/deleted (by your own AV solution) before it even sees your mail server.

THis issue had come up with an older mail server I was running, adding GWAVA stopped it instantly and saves the owner thousands each year in SPAM costs (time to delete email X number of employees X average salary X days per year ). THe ORI was instant as spam went from thousands each day to less than 20. UNlike other antispam products, this is written for GroupWise, provides more scanning options than anyone else, heuristic, key word, address, etc. and reutnrs VERY few false positives even if using a weighted blacklist.

Best $1500.00 they ever spent. THe obnly other reliable prevention of yur issue costs $4500.00 from GW Guardian but GWAVA does more for less.

I guess what I'm getting t is, instead of fixing these problems one by one, nip them in the bud and stop them from starting in the first place (plus you stop the spam AND virus issues at the same time!).

Collapse -

by P. Dickason, CNE, MCSE, CCA In reply to

Poster rated this answer.

Collapse -

by tfbiii2002 In reply to GW 5.5 can't stop NDR att ...

It's actually a limitation of GW 5.5. The way Novell implemented no-relay, was to accept the messages and automatically send a DNR. In theory, they probably thought it was a good fix. In reality, it's the worst I've ever seen next to actually allowing relay traffic. I've already spent days purging 100's of thousands of messages from our system after a problem like this.

The solution was to upgrade to 6.5. It handles relay attempts the way it's supposed to, by not even letting them in the door.

We also added GWGuardian which actually sits in front of GWIA and does SPAM and AV filtering on all incoming e-mail. It may cost a bit more than GWAVA, but I've heard mixed things about GWAVA.

If upgrading to GW 6.5 is a problem, I would recommend and SMTP relay like GWGuardian or something similar like NetIQ's MailMarshall.

Collapse -

by P. Dickason, CNE, MCSE, CCA In reply to

Poster rated this answer.

Collapse -

This question was closed by the author

Back to Networks Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums