Solved

exchange 2013 - bounce back messages not working

Posted on 2014-11-22
3
710 Views
Last Modified: 2014-11-23
Hi guys,
I have exchange 2013 - infront of this i have websence hosted email security - when an external user sends an email to an incorrect user in our domain or to a random address the sender is not getting no bounce back - have checked websence and the logs show our exchange has accepted the email.  However internally the bounce backs works fine....
0
Comment
Question by:jag b
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40459316
You need to enable recipient filtering on the Exchange server.
These are part of the antispam agents which are not installed by default.
Install the agents from EMS thus:
& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
http://technet.microsoft.com/en-us/library/bb201691(v=exchg.150).aspx

Then enable the agents:

Set-RecipientFilterConfig -RecipientValidationEnabled $true
http://technet.microsoft.com/en-us/library/aa998613(v=exchg.150).aspx

HOWEVER, you shouldn't be using Exchange for recipient filtering. That is too late. The recipient filtering should be happening at the point of delivery - your Websense Email Security platform should be doing it. I would check whether it can.
Furthermore, it may well be that the Websense platform is rejecting the NDRs, because they are a form of backscatter which can get you blacklisted. Again this is resolved by doing the filtering at the point of delivery.

If you already have the recipient filtering enabled, then the problem is with the Websense platform rejecting or not allowing the messages through, and you need to review the configuration as I have outlined.

Simon.
0
 

Author Comment

by:jag b
ID: 40459363
Hi simon,
thank you for your reply - further information as below:
On my send connector I am going through a smart host - when I change this to MX record associated then ndr's work fine.... issue with the smart host?  
Is it ok to use the MX record associated with recipient domain?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40459939
The fact that you are able to send the NDRs directly suggests that the smart host is rejecting them.
However it also means you do not have recipient filtering enabled and what you want to do is called backscatter, which will get you blacklisted.

As I wrote above, you should configure the Websense service to reject emails for non-existent senders. Not accept them and then allow Exchange to generate an NDR.

By accepting emails for any recipient and then attempting to NDR them, you are exposing your server to an NDR attack. This is where a spammer sends emails to your server to non-existent recipients on purpose, so your server bounces them to the sender. The sender is spoofed and is the actual target of the spam run. Therefore not only do you get blacklisted, but you end up with a lot of emails in your queues to bad email addresses.

Simon.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
how to add IIS SMTP to handle application/Scanner relays into office 365.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question