Correctly configuring NDR and DNSBL on Exchange 2003

By default, your Exchange 2003 server will happily accept all mail, only to find during processing that it can not deliver certain mails. It will ony then generate a message back to the sender that the mail cannot be delivered.

While this is fine for legit senders, it becomes problematic with spam. Spam generaly has a non existing or false sender address. In the first case you will end up with endless heaps of undeliverable ndr messages. The second case is worse, a harmless victim is bombarded with potentialy thousedns of spam message he/she didnt send in the first place. Many documents point to an MS knowledgebase document which disbales NDR messages alltogether. A very bad solution, because now you legit senders that only made a minor typo will never know that their mail never got deliverd. The solution is to check *before* accepting if the recipient exists. The screenshots below show excatly how to do that. Now email for non existing repcipients will never be accepted in the first place, and legit senders know there is a problem right away.

  • Open global settings, and bring up the “message delivery” property’s
  • enable “filter recipients who are nor in the Directory
  • Bring up the property’s for the SMTP Connector
  • Click Advanced
  • Click Edit
  • Enable the “apply recipient filter”

While at it, we can also add DNSBL checks. If you dont have SP2 installed yet on your MS Exchange server do so first. Next, we can add dnsbl support as shown in the image below:

  • Bring up the Message delivery property’s again
  • Choose connection filtering
  • Choose Add
  • Enter the name and link of the dnsbl service you want to use

NOTE: You need to enable connection filtering on the SMTP service itsself as shown in the second image. Mark the option “Apply Connection Filter” to enable your filters.