?
Solved

exchange 2013 - bounce back messages not working

Posted on 2014-11-22
3
Medium Priority
?
762 Views
Last Modified: 2014-11-23
Hi guys,
I have exchange 2013 - infront of this i have websence hosted email security - when an external user sends an email to an incorrect user in our domain or to a random address the sender is not getting no bounce back - have checked websence and the logs show our exchange has accepted the email.  However internally the bounce backs works fine....
0
Comment
Question by:jag b
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 40459316
You need to enable recipient filtering on the Exchange server.
These are part of the antispam agents which are not installed by default.
Install the agents from EMS thus:
& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
http://technet.microsoft.com/en-us/library/bb201691(v=exchg.150).aspx

Then enable the agents:

Set-RecipientFilterConfig -RecipientValidationEnabled $true
http://technet.microsoft.com/en-us/library/aa998613(v=exchg.150).aspx

HOWEVER, you shouldn't be using Exchange for recipient filtering. That is too late. The recipient filtering should be happening at the point of delivery - your Websense Email Security platform should be doing it. I would check whether it can.
Furthermore, it may well be that the Websense platform is rejecting the NDRs, because they are a form of backscatter which can get you blacklisted. Again this is resolved by doing the filtering at the point of delivery.

If you already have the recipient filtering enabled, then the problem is with the Websense platform rejecting or not allowing the messages through, and you need to review the configuration as I have outlined.

Simon.
0
 

Author Comment

by:jag b
ID: 40459363
Hi simon,
thank you for your reply - further information as below:
On my send connector I am going through a smart host - when I change this to MX record associated then ndr's work fine.... issue with the smart host?  
Is it ok to use the MX record associated with recipient domain?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40459939
The fact that you are able to send the NDRs directly suggests that the smart host is rejecting them.
However it also means you do not have recipient filtering enabled and what you want to do is called backscatter, which will get you blacklisted.

As I wrote above, you should configure the Websense service to reject emails for non-existent senders. Not accept them and then allow Exchange to generate an NDR.

By accepting emails for any recipient and then attempting to NDR them, you are exposing your server to an NDR attack. This is where a spammer sends emails to your server to non-existent recipients on purpose, so your server bounces them to the sender. The sender is spoofed and is the actual target of the spam run. Therefore not only do you get blacklisted, but you end up with a lot of emails in your queues to bad email addresses.

Simon.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question