GFI MailEssentials and NDR messages

I inherited GFI MailEssentials and MailSecurity recently.

I was troubleshooting a problem today where an SMTP sender was getting an NDR when emailing one of my users, but the exchange message tracking center claimed the message was delivered to the store.

Enter GFI MailEssentials, which optionally sends an NDR when it thinks something is spam. Here’s the fun catch though, it sends a 5.1.1 “email account does not exist”. In hopes of convincing the spammer the account doesn’t exist anymore? As if bulk mailers use legitimate return addresses.

It’s certainly not to inform the legitimate user their mail was rejected, as the NDR is a farce. It’s not signaling exchange to send an NDR, but rather taking these actions itself, so make sure logging is on. Fortunately there’s a template file in MailEssentials\templates called ndr.xml. Open it up in notepad, change the 5.1.1 references to 5.5.0 and put in your own custom anti-spam message instead of “this user does not exist”.

Not that this software should be sending NDRs. I’m sure I’m flooding the net with NDRs, but it looks like it’s hooking after the smtp service, not into or before. I’ll replace it with SA eventually.

Update 07/2007:
The NDR template just wasn’t working and GFI never replied the last time I sent them the requested tech support logs. I ran into an issue a couple of weeks ago where messages would go to GFI (sent to advanced queuing in Exchange System Manager) and never come back. Stopping GFI would get the messages back. I just deinstalled GFI and I’m replacing it with a traditional SpamAssassin installation.

3 thoughts on “GFI MailEssentials and NDR messages

  1. pBear

    we’ve been using GFI for a while and ignoring the NDRs. Just didn’t have the energy to investigate. Can you let me know the full name of the “SA” software.

  2. btm

    Normally I wouldn’t send out NDRs, but since I don’t trust this software at all as far as false positives go, i’m going to be a jerk for a while and let the NDRs go. I did notice today that the new template isn’t being read yet. I restarted IIS and all the GFI Mailessentials services I could find.

    SA is SpamAssassin. I don’t know how well it works on windows, but we don’t expose exchange to the internet anyways. It’s a complex little piece of software if you haven’t used it before, but you can tie a lot of packages into it such that you have a highly customizable rating system to determine what’s spam and what’s ham. It’s also free and doesn’t require ongoing support contracts if you’re using ClamAV for the anti-virus and such.

  3. Mahlon Greene

    The PUNCHLINE here….is that the NDR is actually a TOOL for the spammer to use.

    They put the intended victim in as the “from” line…and then let YOUR GFI spam someone else…FOR them. so your ip gets blacklisted and your legit mail gets filtered in future.

    The NDR approach is one of the absolute stupidest things anyone has ever coded on purpose.

    PLEASE tell me HOW to disable this feature.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.