Exchange 2010 NDR's - Backscatter?

Hey folks,

Exchange 2010 SP3, single server hosting all roles.

Had this issue for some time now..  I have been battling with the FFE config for backscatter filtering but it seems pretty useless. Only processed about 164 messages in the last week and only blocked 9.

I have 2 users who are heavily affected by this issue. Thier inboxes are being filled with NDR's for emails they obviously arent sending "Luscious ladies waiting near you" anyone??  ha

We're yet to end up on any blacklists (so far so good) Ive checked MXToobox and the backscatter website.

I think I have configured all the usual suspects:

Recipient Filtering is enabled
Backscatter filter detection is enabled on Forefront Protections 2010 for Exchange Server

The messages all have a valid from address (the 2 users having the issues). But the recipients are all bogus aol, yahoo, aim etc addresses.

Message header from one of the messages hitting our queue:

Identity: WILDMB01\55528\262183
Subject: Wicked-minded lonely girl renting a room in your area  To do some really kinky things with you!
Internet Message ID: <BBC6D859.66DD7A77@domain.com.au>
From Address: prvs=0343943E68=username@domain.com.au
Status: Ready
Size (KB): 3
Message Source Name: SMTP:Default WILDMB01
Source IP: 109.188.95.123
SCL: -1
Date Received: 23/09/2014 2:15:31 PM
Expiration Time: 25/09/2014 2:15:31 PM
Last Error: 421 4.7.0 [TS01] Messages from our external IP address temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html

They are all pretty much the same.

So, whats the deal with the prefix to the senders email address: prvs=838338745=?

Ive even turned off sending NDR's. Still no joy.

Anyone have any suggestions?

Thanks

Kempy
The_ChaddAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

suriyaehnopCommented:
prvs, called "Simple Private Signature", is just one of the possible tagging schemes; actually, the only one fully specified in the draft. The BATV draft gives a framework that other possible techniques can fit into. Other types of implementations, such as using public key signatures that can be verified by third parties, are mentioned but left undefined. The overall framework is vague/flexible enough that similar systems such as Sender Rewriting Scheme can fit into this framework.

http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation

Is 109.188.95.123 your internal email address?
Do you try to change password for the user to be complex as much as possible?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The_ChaddAuthor Commented:
Is 109.188.95.123 your internal email address?
Do you try to change password for the user to be complex as much as possible?

Thanks for your reply suriyaehnop.

That is not our external IP address. This 'source ip' changes depending on the email. Sometimes it its the same, but usually different.  That's why i'm a little confused, the source IP is external to our public IP range and I have confirmed that we are not an open relay.

I have not changed the users passwords. I will give this a try and report back.

Kempy

EDIT:  Sorry, this that IP address is not our internal or external. Surprise, surprise,...  its from Russia...
0
Alan HardistyCo-OwnerCommented:
I would suggest installing a Trial of Vamsoft ORF Fusion (or any other Anti-Spam product) as this should easily tackle the NDR spam so that it doesn't make it to your Inboxes.

You should also setup an SPF record, if you haven't already, which essentially publishes a list of servers that are permitted to send mail on behalf of your domain and then receiving servers can reject emails if they aren't listed on your SPF record.

Alan
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

The_ChaddAuthor Commented:
Thanks Alan.  

I had looked at ORF Fusion, but as our Exchange environment is completely internal (no edge transport or hub transport in the perimeter network) there seem to be limitations:

http://vamsoft.com/support/docs/how-tos/deployment-5.3#deployment-behind-perimeter

Has anyone set this up on the internal network and had it working successfully (and without too much degradation in performance?)

I have an SPF record in place, but the mail messages are legitimate as they are being generated by a mailbox (2 mailboxes) on my on premises exchange. Isn't that the point of backscatter?

You can see in the message header of one of the SPAM messages above, that the from address is one of ours. The Message source name is our default receive connector. The source IP is not one of ours and is not on our SPF record.
Is this because the message was originally from an outside source and my email server is trying to send an NDR to the sender? Not too sure how this works.

Is there any way that I can set transport rules or something like that just on these 2 mailboxes? As it is only these 2 that are having the issues...

Thanks

Kempy
0
The_ChaddAuthor Commented:
I have finally had a chance to reset the users passwords (forcing them to use special characters was a challenge)...

So far so good...  the queue's haven't seen any new SPAM mail messages since implementing the PW change.

I will monitor for the remainder of the day and award the point accordingly.

Thanks.
0
The_ChaddAuthor Commented:
Thanks for the tip on password reset. Worked a charm.

Sometimes the most obvious (and easiest) answer is overlooked...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.