Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Exchange 2010 NDR's - Backscatter?

Posted on 2014-09-22
Medium Priority
Last Modified: 2014-09-24
Hey folks,

Exchange 2010 SP3, single server hosting all roles.

Had this issue for some time now..  I have been battling with the FFE config for backscatter filtering but it seems pretty useless. Only processed about 164 messages in the last week and only blocked 9.

I have 2 users who are heavily affected by this issue. Thier inboxes are being filled with NDR's for emails they obviously arent sending "Luscious ladies waiting near you" anyone??  ha

We're yet to end up on any blacklists (so far so good) Ive checked MXToobox and the backscatter website.

I think I have configured all the usual suspects:

Recipient Filtering is enabled
Backscatter filter detection is enabled on Forefront Protections 2010 for Exchange Server

The messages all have a valid from address (the 2 users having the issues). But the recipients are all bogus aol, yahoo, aim etc addresses.

Message header from one of the messages hitting our queue:

Identity: WILDMB01\55528\262183
Subject: Wicked-minded lonely girl renting a room in your area  To do some really kinky things with you!
Internet Message ID: <BBC6D859.66DD7A77@domain.com.au>
From Address: prvs=0343943E68=username@domain.com.au
Status: Ready
Size (KB): 3
Message Source Name: SMTP:Default WILDMB01
Source IP:
SCL: -1
Date Received: 23/09/2014 2:15:31 PM
Expiration Time: 25/09/2014 2:15:31 PM
Last Error: 421 4.7.0 [TS01] Messages from our external IP address temporarily deferred due to user complaints -; see http://postmaster.yahoo.com/421-ts01.html

They are all pretty much the same.

So, whats the deal with the prefix to the senders email address: prvs=838338745=?

Ive even turned off sending NDR's. Still no joy.

Anyone have any suggestions?


Question by:The_Chadd
  • 4
LVL 19

Accepted Solution

suriyaehnop earned 2000 total points
ID: 40338370
prvs, called "Simple Private Signature", is just one of the possible tagging schemes; actually, the only one fully specified in the draft. The BATV draft gives a framework that other possible techniques can fit into. Other types of implementations, such as using public key signatures that can be verified by third parties, are mentioned but left undefined. The overall framework is vague/flexible enough that similar systems such as Sender Rewriting Scheme can fit into this framework.


Is your internal email address?
Do you try to change password for the user to be complex as much as possible?

Author Comment

ID: 40338426
Is your internal email address?
Do you try to change password for the user to be complex as much as possible?

Thanks for your reply suriyaehnop.

That is not our external IP address. This 'source ip' changes depending on the email. Sometimes it its the same, but usually different.  That's why i'm a little confused, the source IP is external to our public IP range and I have confirmed that we are not an open relay.

I have not changed the users passwords. I will give this a try and report back.


EDIT:  Sorry, this that IP address is not our internal or external. Surprise, surprise,...  its from Russia...
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40338598
I would suggest installing a Trial of Vamsoft ORF Fusion (or any other Anti-Spam product) as this should easily tackle the NDR spam so that it doesn't make it to your Inboxes.

You should also setup an SPF record, if you haven't already, which essentially publishes a list of servers that are permitted to send mail on behalf of your domain and then receiving servers can reject emails if they aren't listed on your SPF record.

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.


Author Comment

ID: 40340527
Thanks Alan.  

I had looked at ORF Fusion, but as our Exchange environment is completely internal (no edge transport or hub transport in the perimeter network) there seem to be limitations:


Has anyone set this up on the internal network and had it working successfully (and without too much degradation in performance?)

I have an SPF record in place, but the mail messages are legitimate as they are being generated by a mailbox (2 mailboxes) on my on premises exchange. Isn't that the point of backscatter?

You can see in the message header of one of the SPAM messages above, that the from address is one of ours. The Message source name is our default receive connector. The source IP is not one of ours and is not on our SPF record.
Is this because the message was originally from an outside source and my email server is trying to send an NDR to the sender? Not too sure how this works.

Is there any way that I can set transport rules or something like that just on these 2 mailboxes? As it is only these 2 that are having the issues...



Author Comment

ID: 40340752
I have finally had a chance to reset the users passwords (forcing them to use special characters was a challenge)...

So far so good...  the queue's haven't seen any new SPAM mail messages since implementing the PW change.

I will monitor for the remainder of the day and award the point accordingly.


Author Closing Comment

ID: 40343029
Thanks for the tip on password reset. Worked a charm.

Sometimes the most obvious (and easiest) answer is overlooked...

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
In this post, we will learn to set up the Group Naming policy and will see how it is going to impact the Display Name and the Email addresses of the Group.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question