Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Exchange 2007 / 2010 Backscatter and how to resolve it

Alan HardistyCo-Owner
CERTIFIED EXPERT
Published:
Updated:

What is Backscatter?

Backscatter is automatically generated Non-Delivery Report emails (NDR’s) that are returned in response to emails sent to invalid email recipients, most commonly sent by spammers who have made up the recipient email address, and quite often have forged the sender address to.

How do I know if my server is sending out Backscatter?

A quick way to check is to visit http://www.backscatterer.org/?target=test and enter your IP Address, then click on Test.  If you are listed, it will tell you that you are listed.  If you are listed – you will be sending out Backscatter – if you are not listed – then you hopefully are not sending out Backscatter (or have not yet had an NDR message hit one of the Backscatterer.org spam traps which will get you listed).

Backscatterer Listing
Another way is to check the outbound queues on your Exchange Server Start> All Programs> Microsoft Exchange Server (2007 / 2010)> Exchange Management Console – then click on Toolbox in the left-hand pane and then Open the Queue Viewer in the task pane.
Then double click into a queue with mail that is not going anywhere and see if the sender of the message is <>.

Exchange 2007 / 2010 Queue - NDR Message to Invalid Domain

Why is my server sending out Backscatter mail?

When a mail server receives an email message and is not configured for 'Recipient Validation' (Recipient Validation is where the mail server checks to see if the recipient address of an inbound email is valid before accepting the message) then the server automatically accepts the message, processes it, realises that the recipient address is invalid, and automatically sends back a Non Delivery Report email to the sender of the message.

If the mail server is configured with 'Recipient Validation', the server checks all inbound emails for a valid recipient first and if the recipient address does not exist on the server, then the server will immediately reject the email message and no Non-Delivery Report email is sent back to the sender.

Okay – So I am listed – what do I do now?

Open the Exchange Management Shell (Start> All Programs> Microsoft Exchange Server (2007 / 2010)> Exchange Management Shell - and type in the following:

get-recipientfilterconfig | ft RecipientValidationEnabled

Recipient Validation Disabled
You will most likely see the result showing as False (as per the image above), meaning that your server is not filtering Recipients on your server.

To resolve this problem and enable Recipient Filtering, simply type the following in the Exchange Management Shell:

Set-RecipientFilterConfig -RecipientValidationEnabled:$true

Recipient Validation Enabled
Now that you have enabled recipient filtering (as per the image above), you will no longer be sending out NDR emails back to spammers and can request de-listing from Backscatterer.org, which should happen automatically after 4 weeks, or you can pay to be express de-listed.
17
29,019 Views
Alan HardistyCo-Owner
CERTIFIED EXPERT

Comments (18)

Commented:
We fixed our issue by blocking port 25 on our firewall. Haven't had any issues since.
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Author

Commented:
Sorry - talking crap earlier!  If the Recipient is Invalid, then the Exchange server will reject the connection and the sending server is responsible for sending the NDR message, so enabling Recipient Filtering means that Exchange doesn't accept the message try to deliver it, realise the recipient is invalid and then because it has accepted the message, Exchange HAS to send back an NDR message, which when the sender is a spoofed address, results in Backscatter.

If a legitimate sender sends an email and Recipient filtering is enabled, Exchange doesn't accept the message and that's that.  It's down to the sending server to tell the sender the response code from the Exchange Server in an NDR message and if the sending server doesn't generate an NDR, then that's down to the configuration of the sending server.   It's not your fault because you enabled Recipient Filtering.

@jambear - Blocking port 25 will stop the problem happily - but it also means no emails from anyone else (short of a smarthost using a different port).
Thank you Alan. That's clear. But I am still wary about enabling it. If the sending server does tell the legit user his mail did not go through, even in a few cases, it causes more harm than my server potentially being listed on backscattering.org.

Jambear's blocking 25: I think he/she meant block outgoing 25 for all hosts on the LAN except exchange's edge/hub, to avoid virus infected hosts sending out spams. This is  a separate issue of course.

Commented:
Yup, we use a smarthost.
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Author

Commented:
Being listed on Backscatterer.org would cause your outbound emails to be rejected (by some organisations) - so you need to weigh up the cost of you not being able to send some emails vs some people not being told that the email they sent you didn't arrive.  Personally I know which I would prefer.

Blocking port 25 outbound is a very separate issue (and should be done as a matter of course - apart from the Exchange server of course).

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community