Solved

Exchange 2010 NDR's - Backscatter?

Posted on 2014-09-22
6
500 Views
Last Modified: 2014-09-24
Hey folks,

Exchange 2010 SP3, single server hosting all roles.

Had this issue for some time now..  I have been battling with the FFE config for backscatter filtering but it seems pretty useless. Only processed about 164 messages in the last week and only blocked 9.

I have 2 users who are heavily affected by this issue. Thier inboxes are being filled with NDR's for emails they obviously arent sending "Luscious ladies waiting near you" anyone??  ha

We're yet to end up on any blacklists (so far so good) Ive checked MXToobox and the backscatter website.

I think I have configured all the usual suspects:

Recipient Filtering is enabled
Backscatter filter detection is enabled on Forefront Protections 2010 for Exchange Server

The messages all have a valid from address (the 2 users having the issues). But the recipients are all bogus aol, yahoo, aim etc addresses.

Message header from one of the messages hitting our queue:

Identity: WILDMB01\55528\262183
Subject: Wicked-minded lonely girl renting a room in your area  To do some really kinky things with you!
Internet Message ID: <BBC6D859.66DD7A77@domain.com.au>
From Address: prvs=0343943E68=username@domain.com.au
Status: Ready
Size (KB): 3
Message Source Name: SMTP:Default WILDMB01
Source IP: 109.188.95.123
SCL: -1
Date Received: 23/09/2014 2:15:31 PM
Expiration Time: 25/09/2014 2:15:31 PM
Last Error: 421 4.7.0 [TS01] Messages from our external IP address temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html

They are all pretty much the same.

So, whats the deal with the prefix to the senders email address: prvs=838338745=?

Ive even turned off sending NDR's. Still no joy.

Anyone have any suggestions?

Thanks

Kempy
0
Comment
Question by:The_Chadd
  • 4
6 Comments
 
LVL 18

Accepted Solution

by:
suriyaehnop earned 500 total points
ID: 40338370
prvs, called "Simple Private Signature", is just one of the possible tagging schemes; actually, the only one fully specified in the draft. The BATV draft gives a framework that other possible techniques can fit into. Other types of implementations, such as using public key signatures that can be verified by third parties, are mentioned but left undefined. The overall framework is vague/flexible enough that similar systems such as Sender Rewriting Scheme can fit into this framework.

http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation

Is 109.188.95.123 your internal email address?
Do you try to change password for the user to be complex as much as possible?
0
 

Author Comment

by:The_Chadd
ID: 40338426
Is 109.188.95.123 your internal email address?
Do you try to change password for the user to be complex as much as possible?

Thanks for your reply suriyaehnop.

That is not our external IP address. This 'source ip' changes depending on the email. Sometimes it its the same, but usually different.  That's why i'm a little confused, the source IP is external to our public IP range and I have confirmed that we are not an open relay.

I have not changed the users passwords. I will give this a try and report back.

Kempy

EDIT:  Sorry, this that IP address is not our internal or external. Surprise, surprise,...  its from Russia...
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40338598
I would suggest installing a Trial of Vamsoft ORF Fusion (or any other Anti-Spam product) as this should easily tackle the NDR spam so that it doesn't make it to your Inboxes.

You should also setup an SPF record, if you haven't already, which essentially publishes a list of servers that are permitted to send mail on behalf of your domain and then receiving servers can reject emails if they aren't listed on your SPF record.

Alan
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:The_Chadd
ID: 40340527
Thanks Alan.  

I had looked at ORF Fusion, but as our Exchange environment is completely internal (no edge transport or hub transport in the perimeter network) there seem to be limitations:

http://vamsoft.com/support/docs/how-tos/deployment-5.3#deployment-behind-perimeter

Has anyone set this up on the internal network and had it working successfully (and without too much degradation in performance?)

I have an SPF record in place, but the mail messages are legitimate as they are being generated by a mailbox (2 mailboxes) on my on premises exchange. Isn't that the point of backscatter?

You can see in the message header of one of the SPAM messages above, that the from address is one of ours. The Message source name is our default receive connector. The source IP is not one of ours and is not on our SPF record.
Is this because the message was originally from an outside source and my email server is trying to send an NDR to the sender? Not too sure how this works.

Is there any way that I can set transport rules or something like that just on these 2 mailboxes? As it is only these 2 that are having the issues...

Thanks

Kempy
0
 

Author Comment

by:The_Chadd
ID: 40340752
I have finally had a chance to reset the users passwords (forcing them to use special characters was a challenge)...

So far so good...  the queue's haven't seen any new SPAM mail messages since implementing the PW change.

I will monitor for the remainder of the day and award the point accordingly.

Thanks.
0
 

Author Closing Comment

by:The_Chadd
ID: 40343029
Thanks for the tip on password reset. Worked a charm.

Sometimes the most obvious (and easiest) answer is overlooked...
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now