Exchange 2010 NDR's - Backscatter?

Posted on 2014-09-22
Last Modified: 2014-09-24
Hey folks,

Exchange 2010 SP3, single server hosting all roles.

Had this issue for some time now..  I have been battling with the FFE config for backscatter filtering but it seems pretty useless. Only processed about 164 messages in the last week and only blocked 9.

I have 2 users who are heavily affected by this issue. Thier inboxes are being filled with NDR's for emails they obviously arent sending "Luscious ladies waiting near you" anyone??  ha

We're yet to end up on any blacklists (so far so good) Ive checked MXToobox and the backscatter website.

I think I have configured all the usual suspects:

Recipient Filtering is enabled
Backscatter filter detection is enabled on Forefront Protections 2010 for Exchange Server

The messages all have a valid from address (the 2 users having the issues). But the recipients are all bogus aol, yahoo, aim etc addresses.

Message header from one of the messages hitting our queue:

Identity: WILDMB01\55528\262183
Subject: Wicked-minded lonely girl renting a room in your area  To do some really kinky things with you!
Internet Message ID: <>
From Address:
Status: Ready
Size (KB): 3
Message Source Name: SMTP:Default WILDMB01
Source IP:
SCL: -1
Date Received: 23/09/2014 2:15:31 PM
Expiration Time: 25/09/2014 2:15:31 PM
Last Error: 421 4.7.0 [TS01] Messages from our external IP address temporarily deferred due to user complaints -; see

They are all pretty much the same.

So, whats the deal with the prefix to the senders email address: prvs=838338745=?

Ive even turned off sending NDR's. Still no joy.

Anyone have any suggestions?


Question by:The_Chadd
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
LVL 19

Accepted Solution

suriyaehnop earned 500 total points
ID: 40338370
prvs, called "Simple Private Signature", is just one of the possible tagging schemes; actually, the only one fully specified in the draft. The BATV draft gives a framework that other possible techniques can fit into. Other types of implementations, such as using public key signatures that can be verified by third parties, are mentioned but left undefined. The overall framework is vague/flexible enough that similar systems such as Sender Rewriting Scheme can fit into this framework.

Is your internal email address?
Do you try to change password for the user to be complex as much as possible?

Author Comment

ID: 40338426
Is your internal email address?
Do you try to change password for the user to be complex as much as possible?

Thanks for your reply suriyaehnop.

That is not our external IP address. This 'source ip' changes depending on the email. Sometimes it its the same, but usually different.  That's why i'm a little confused, the source IP is external to our public IP range and I have confirmed that we are not an open relay.

I have not changed the users passwords. I will give this a try and report back.


EDIT:  Sorry, this that IP address is not our internal or external. Surprise, surprise,...  its from Russia...
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40338598
I would suggest installing a Trial of Vamsoft ORF Fusion (or any other Anti-Spam product) as this should easily tackle the NDR spam so that it doesn't make it to your Inboxes.

You should also setup an SPF record, if you haven't already, which essentially publishes a list of servers that are permitted to send mail on behalf of your domain and then receiving servers can reject emails if they aren't listed on your SPF record.

Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.


Author Comment

ID: 40340527
Thanks Alan.  

I had looked at ORF Fusion, but as our Exchange environment is completely internal (no edge transport or hub transport in the perimeter network) there seem to be limitations:

Has anyone set this up on the internal network and had it working successfully (and without too much degradation in performance?)

I have an SPF record in place, but the mail messages are legitimate as they are being generated by a mailbox (2 mailboxes) on my on premises exchange. Isn't that the point of backscatter?

You can see in the message header of one of the SPAM messages above, that the from address is one of ours. The Message source name is our default receive connector. The source IP is not one of ours and is not on our SPF record.
Is this because the message was originally from an outside source and my email server is trying to send an NDR to the sender? Not too sure how this works.

Is there any way that I can set transport rules or something like that just on these 2 mailboxes? As it is only these 2 that are having the issues...



Author Comment

ID: 40340752
I have finally had a chance to reset the users passwords (forcing them to use special characters was a challenge)...

So far so good...  the queue's haven't seen any new SPAM mail messages since implementing the PW change.

I will monitor for the remainder of the day and award the point accordingly.


Author Closing Comment

ID: 40343029
Thanks for the tip on password reset. Worked a charm.

Sometimes the most obvious (and easiest) answer is overlooked...

Featured Post

Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you have clients or friends from around the world, it becomes a challenge to arrange a meeting or effectively manage your time. This is where Outlook's capability to show 2 time zones in one calendar comes in handy.
In-place Upgrading Dirsync to Azure AD Connect
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question