Exchange 2010 NDR's - Backscatter?

Posted on 2014-09-22
Medium Priority
Last Modified: 2014-09-24
Hey folks,

Exchange 2010 SP3, single server hosting all roles.

Had this issue for some time now..  I have been battling with the FFE config for backscatter filtering but it seems pretty useless. Only processed about 164 messages in the last week and only blocked 9.

I have 2 users who are heavily affected by this issue. Thier inboxes are being filled with NDR's for emails they obviously arent sending "Luscious ladies waiting near you" anyone??  ha

We're yet to end up on any blacklists (so far so good) Ive checked MXToobox and the backscatter website.

I think I have configured all the usual suspects:

Recipient Filtering is enabled
Backscatter filter detection is enabled on Forefront Protections 2010 for Exchange Server

The messages all have a valid from address (the 2 users having the issues). But the recipients are all bogus aol, yahoo, aim etc addresses.

Message header from one of the messages hitting our queue:

Identity: WILDMB01\55528\262183
Subject: Wicked-minded lonely girl renting a room in your area  To do some really kinky things with you!
Internet Message ID: <BBC6D859.66DD7A77@domain.com.au>
From Address: prvs=0343943E68=username@domain.com.au
Status: Ready
Size (KB): 3
Message Source Name: SMTP:Default WILDMB01
Source IP:
SCL: -1
Date Received: 23/09/2014 2:15:31 PM
Expiration Time: 25/09/2014 2:15:31 PM
Last Error: 421 4.7.0 [TS01] Messages from our external IP address temporarily deferred due to user complaints -; see http://postmaster.yahoo.com/421-ts01.html

They are all pretty much the same.

So, whats the deal with the prefix to the senders email address: prvs=838338745=?

Ive even turned off sending NDR's. Still no joy.

Anyone have any suggestions?


Question by:The_Chadd
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
LVL 19

Accepted Solution

suriyaehnop earned 2000 total points
ID: 40338370
prvs, called "Simple Private Signature", is just one of the possible tagging schemes; actually, the only one fully specified in the draft. The BATV draft gives a framework that other possible techniques can fit into. Other types of implementations, such as using public key signatures that can be verified by third parties, are mentioned but left undefined. The overall framework is vague/flexible enough that similar systems such as Sender Rewriting Scheme can fit into this framework.


Is your internal email address?
Do you try to change password for the user to be complex as much as possible?

Author Comment

ID: 40338426
Is your internal email address?
Do you try to change password for the user to be complex as much as possible?

Thanks for your reply suriyaehnop.

That is not our external IP address. This 'source ip' changes depending on the email. Sometimes it its the same, but usually different.  That's why i'm a little confused, the source IP is external to our public IP range and I have confirmed that we are not an open relay.

I have not changed the users passwords. I will give this a try and report back.


EDIT:  Sorry, this that IP address is not our internal or external. Surprise, surprise,...  its from Russia...
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40338598
I would suggest installing a Trial of Vamsoft ORF Fusion (or any other Anti-Spam product) as this should easily tackle the NDR spam so that it doesn't make it to your Inboxes.

You should also setup an SPF record, if you haven't already, which essentially publishes a list of servers that are permitted to send mail on behalf of your domain and then receiving servers can reject emails if they aren't listed on your SPF record.

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Author Comment

ID: 40340527
Thanks Alan.  

I had looked at ORF Fusion, but as our Exchange environment is completely internal (no edge transport or hub transport in the perimeter network) there seem to be limitations:


Has anyone set this up on the internal network and had it working successfully (and without too much degradation in performance?)

I have an SPF record in place, but the mail messages are legitimate as they are being generated by a mailbox (2 mailboxes) on my on premises exchange. Isn't that the point of backscatter?

You can see in the message header of one of the SPAM messages above, that the from address is one of ours. The Message source name is our default receive connector. The source IP is not one of ours and is not on our SPF record.
Is this because the message was originally from an outside source and my email server is trying to send an NDR to the sender? Not too sure how this works.

Is there any way that I can set transport rules or something like that just on these 2 mailboxes? As it is only these 2 that are having the issues...



Author Comment

ID: 40340752
I have finally had a chance to reset the users passwords (forcing them to use special characters was a challenge)...

So far so good...  the queue's haven't seen any new SPAM mail messages since implementing the PW change.

I will monitor for the remainder of the day and award the point accordingly.


Author Closing Comment

ID: 40343029
Thanks for the tip on password reset. Worked a charm.

Sometimes the most obvious (and easiest) answer is overlooked...

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
New style of hardware planning for Microsoft Exchange server.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses
Course of the Month13 days, 10 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question