<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Exchange 2007 / 2010 Backscatter and how to resolve it

Published on
39,828 Points
26,628 Views
17 Endorsements
Last Modified:
Awarded
Community Pick

What is Backscatter?

Backscatter is automatically generated Non-Delivery Report emails (NDR’s) that are returned in response to emails sent to invalid email recipients, most commonly sent by spammers who have made up the recipient email address, and quite often have forged the sender address to.

How do I know if my server is sending out Backscatter?

A quick way to check is to visit http://www.backscatterer.org/?target=test and enter your IP Address, then click on Test.  If you are listed, it will tell you that you are listed.  If you are listed – you will be sending out Backscatter – if you are not listed – then you hopefully are not sending out Backscatter (or have not yet had an NDR message hit one of the Backscatterer.org spam traps which will get you listed).

Backscatterer Listing
Another way is to check the outbound queues on your Exchange Server Start> All Programs> Microsoft Exchange Server (2007 / 2010)> Exchange Management Console – then click on Toolbox in the left-hand pane and then Open the Queue Viewer in the task pane.
Then double click into a queue with mail that is not going anywhere and see if the sender of the message is <>.

Exchange 2007 / 2010 Queue - NDR Message to Invalid Domain

Why is my server sending out Backscatter mail?

When a mail server receives an email message and is not configured for 'Recipient Validation' (Recipient Validation is where the mail server checks to see if the recipient address of an inbound email is valid before accepting the message) then the server automatically accepts the message, processes it, realises that the recipient address is invalid, and automatically sends back a Non Delivery Report email to the sender of the message.

If the mail server is configured with 'Recipient Validation', the server checks all inbound emails for a valid recipient first and if the recipient address does not exist on the server, then the server will immediately reject the email message and no Non-Delivery Report email is sent back to the sender.

Okay – So I am listed – what do I do now?

Open the Exchange Management Shell (Start> All Programs> Microsoft Exchange Server (2007 / 2010)> Exchange Management Shell - and type in the following:

get-recipientfilterconfig | ft RecipientValidationEnabled

Recipient Validation Disabled
You will most likely see the result showing as False (as per the image above), meaning that your server is not filtering Recipients on your server.

To resolve this problem and enable Recipient Filtering, simply type the following in the Exchange Management Shell:

Set-RecipientFilterConfig -RecipientValidationEnabled:$true

Recipient Validation Enabled
Now that you have enabled recipient filtering (as per the image above), you will no longer be sending out NDR emails back to spammers and can request de-listing from Backscatterer.org, which should happen automatically after 4 weeks, or you can pay to be express de-listed.
17
Comment
  • 4
  • 4
  • 3
  • +4
18 Comments
 

Administrative Comment

by:Glen Knight
That was a deliberate typo, it was supposed to be funny :((
0
 

Administrative Comment

by:Glen Knight
OK, first thing I would say is there is a lot of text, being a picture man I like to see images.

You though of adding the EMS screens and/or the EMC/Queue viewer?  Might just break the text up a bit and show peor what they are looking for?

Let me know your thoughts and I will set it back to author review if you want to make any changes alternatively I will continue as is.
0
 

Administrative Comment

by:Glen Knight
You fancy adding the EMS outputs?

If not tell me to shut up and I will go away :)

Thanks
dmz
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Administrative Comment

by:Glen Knight
ahhh, now it's looking pretty!! :)
0
LVL 58

Expert Comment

by:tigermatt
Alan,

You might want to add something about the anti-spam agents not being present by default on a Hub Transport server (they are on an Edge), so anyone without an Edge will have to deliberately go and install them with the Install-AntiSpamAgents.ps1 script...

Just a thought...

Matt
0
LVL 10

Expert Comment

by:scriven_j
You should definiteky add tigermatt's comment into the article as it doesn't work without this on a Hub Transport server.
0

Expert Comment

by:jambear
Thanks for this info. The same thing is happening at my office. I enabled the filtering and I'm still having this issue. is there something else that I can try? Any help would be appreciated. Not sure what else to try here. thanks in advance.
0

Expert Comment

by:AdamIT2013
I am also getting this exact issue and have been blacklisted by backscatter.org. I have recipient validation enabled but still getting many spam ndr's in our message queues (Exchange 2007).  Is there anything else I can do?  

Info - Our anti-spam agents on HT are disabled as we use another software suite for our antispam protection.
0
LVL 76

Author Comment

by:Alan Hardisty
You need to be filtering invalid recipients - either with your Anti-Spam software or with Exchange tools (not my preferred option).

If you have a 3rd party host that receives your mail first and then forwards it on to you, then they need to be doing recipient filtering, or you need to stop using them because the only place that can reject invalid recipients is the first email server that initially receives the emails.  If the email is rejected at that point, then the sending server is responsible for the NDR creation, but if the email is accepted and relayed, then the server the mail is relayed to is responsible for the NDR, meaning you will be sending out Backscatter if you receive mail for invalid recipients.

Alan
0

Expert Comment

by:AdamIT2013
OK thanks.

So just to be clear, if we have 'recipient validation' enabled {true} in the shell, but 'Recipient Filtering' Disabled under anti-spam tab in EMC, recipient validation will not work?

Our antispam software sits on the exchange server but I do not think it is capable of filtering invalid recipients.

Adam
0

Expert Comment

by:shutterhacker
With "recipient validation" enabled, when a legitimate user sending a legit mail fat fingered typing mike@mycorp.com as mik3@mycorp.com, no NDR? He believes his mail went through but Mike does not receive it in fact? This sounds worse than backscattering.
0
LVL 76

Author Comment

by:Alan Hardisty
If the recipient is invalid and Exchange rejects the message, it will by default send an NDR message out.  If the Recipient doesn't receive the NDR, then you have no control over that.
0

Expert Comment

by:shutterhacker
I am not sure if I understood it correctly.

Per your article, by default exchange will send NDRs for invalid recipients - the legit user who mistyped mike will know his mail did not go through, and you have the backscattering issues from spams.

by using
Set-RecipientFilterConfig -RecipientValidationEnabled:$true

you changed the default. then you eliminated backscattering, and at the same time the legit user will not receive an NDR for mistyped "mike/mik3" since it's an invalid recipient and exchange does not send out an NDR.

Is that correct?
0

Expert Comment

by:jambear
We fixed our issue by blocking port 25 on our firewall. Haven't had any issues since.
0
LVL 76

Author Comment

by:Alan Hardisty
Sorry - talking crap earlier!  If the Recipient is Invalid, then the Exchange server will reject the connection and the sending server is responsible for sending the NDR message, so enabling Recipient Filtering means that Exchange doesn't accept the message try to deliver it, realise the recipient is invalid and then because it has accepted the message, Exchange HAS to send back an NDR message, which when the sender is a spoofed address, results in Backscatter.

If a legitimate sender sends an email and Recipient filtering is enabled, Exchange doesn't accept the message and that's that.  It's down to the sending server to tell the sender the response code from the Exchange Server in an NDR message and if the sending server doesn't generate an NDR, then that's down to the configuration of the sending server.   It's not your fault because you enabled Recipient Filtering.

@jambear - Blocking port 25 will stop the problem happily - but it also means no emails from anyone else (short of a smarthost using a different port).
0

Expert Comment

by:shutterhacker
Thank you Alan. That's clear. But I am still wary about enabling it. If the sending server does tell the legit user his mail did not go through, even in a few cases, it causes more harm than my server potentially being listed on backscattering.org.

Jambear's blocking 25: I think he/she meant block outgoing 25 for all hosts on the LAN except exchange's edge/hub, to avoid virus infected hosts sending out spams. This is  a separate issue of course.
0

Expert Comment

by:jambear
Yup, we use a smarthost.
0
LVL 76

Author Comment

by:Alan Hardisty
Being listed on Backscatterer.org would cause your outbound emails to be rejected (by some organisations) - so you need to weigh up the cost of you not being able to send some emails vs some people not being told that the email they sent you didn't arrive.  Personally I know which I would prefer.

Blocking port 25 outbound is a very separate issue (and should be done as a matter of course - apart from the Exchange server of course).
0

Featured Post

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Join & Write a Comment

This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month