How To Reject Undeliverable Mail with MS Exchange

One of the "features" of Exchange is to accept mail to any address, (it always replies "250 OK" regardless if an address exists or not). Undeliverables are silently forwarded to postmaster.

In the No Spam Today! licensing scheme, any address is counted when the mail server accepts it. So, if you don't do something, you will most likely exceed your license.

Exchange Non-Delivery Reports

Worse, Exchange by default creates a "non-delivery report" (NDR) for each undeliverable mail received, and tries to send it to the purported sender of this spam or virus message. This costs you bandwidth, CPU load, and disk space. Typically, the sender addresses of spam and virus mails are fakes, so the NDRs are undeliverable and remain in the outgoing queue of your mail server for days. Upon a heavy virus or spam wave, this can crash your mail server, once thousands of undeliverable NDRs in your outgoing mail queue use up all your disk space.

Exchange has it the other way around here. Normally, it is the job of the sending MTA (mail transfer agent) to inform the user if it is unable to send a mail. If the sending MTA is a mail client, it will pop up a window to notify the user. If it is another mail server, it will send a mail delivery failure notice to the sender. This way, the administrator of an open relay will suffer the consequences of his configuration error, he is the one to cope with overflowing messages queues.

How Can You Turn This Off?

The good news is, with Exchange 2003 you can enable recipient checking, which is what you want. If you have an earlier version, you can use NoSpamToday! to do the recipient checking for you.

Exchange 2003

Exchange 2003 actually allows checking recpient addresses. However, this is, if at all, not well documented. The following link has instructions on how to enable recipient checking for Exchange 2003:

• Configure Exchange 2003 to check recipients in SMTP protocol

Earlier Versions of Exchange

The Exchange 200x versions allow turning NDRs off, as described in Microsoft knowledge base article 294757. But this is not what you want, because Exchange still accepts all recipient addresses, whether they exist or not.

What else can you do? If Exchange accepts every recipient, you can at least configure No Spam Today! for Servers to accept only the recipient addresses you want. This is done on the "Relay Protection" page of the admin wizard. Instead of a domain, like *@byteplant.com, you can alternatively enter a list of acceptable mail addresses and aliases here, like John.Smith@byteplant.com jsmith@byteplant.com...

This has two advantages:

• Exchange no longer sends NDRs for spam and virus mails. Because the mail is rejected, it is the sending MTA's job to create a delivery failure notice.
• Only existing addresses count against your license.

There is a drawback: you have to maintain a list of users in both Exchange and in No Spam Today!. This is a source of potential errors: if you fail to add an address, or if you mistype an address, that user won't get any mail. Therefore, if you use this No Spam Today! feature, test it immediately by sending test mails from outside of your network.

Closing Remarks

Please submit hints and suggestions to , we are happy to make anything helpful available to other users.