TimMcGrath
asked on
MailFlow Office 365 OnPrem- Backscatter?
Greetings,
I currently have several users that are getting slammed with NDRs. These appear to be generated from our onmicrosoft.com domain. Both users have mailbox on On-Prem Exchange 2010
Environment:
Office 365 Exchange online - Hybrid - Exchange 2010. We have our Staff onprem and students in Exchange Online.
All users are licensed users and have accounts to 0365.
I have 2 users that are getting NDRs delivered to them every few minutes. Looking at the headers it appears to be coming from a schooldistrct.onmicrosoft. com address. Neither user has sent these messages.
Backscatter is enabled Exchange online and I have recipient filter enabled on-prem
Any help with this would be greatly appreciated.
Headers from the orginal message attached in the NDR:
Received: from BN6PR12MB1924.namprd12.pro d.outlook. com ([10.175.102.18]) by
BN6PR12MB1924.namprd12.pro d.outlook. com ([10.175.102.18]) with mapi id
15.01.0829.013; Tue, 10 Jan 2017 15:37:24 +0000
MIME-Version: 1.0
Content-Type: text/plain
Date: Tue, 10 Jan 2017 15:37:24 +0000
Message-ID: <BN6PR12MB19248124FBE3511A A18321D4AB 670@BN6PR1 2MB1924.na mprd12.pro d.outlook. com>
Subject: GraphTransactionItem:gti
gti.TransactionId:bc98ba9c -aa1a-49bf -82a5-db3f 1797a1f5
gti.Name:UpdateSecondarySh allowCopy
Headers from the NDR:
Received: from mail.chichestersd.org (10.30.1.19) by Chi-CAS-01.chi-sd.com
(10.30.1.39) with Microsoft SMTP Server id 14.3.146.0; Tue, 10 Jan 2017
10:36:49 -0500
Received: from pps.filterd (chichestersd-production-v m.chi-sd.c om [127.0.0.1])
by chichestersd-production-vm .chi-sd.co m (8.14.5/8.14.5) with SMTP id
v0AFU00p008158 for <edougherty@chichestersd.o rg>; Tue, 10 Jan 2017 10:38:27
-0500
Received: from nam01-sn1-obe.outbound.pro tection.ou tlook.com
(mail-sn1nam01lp0120.outbo und.protec tion.outlo ok.com [207.46.163.120]) by
chichestersd-production-vm .chi-sd.co m with ESMTP id 27s2wn1kms-1
(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for
<edougherty@chichestersd.o rg>; Tue, 10 Jan 2017 10:38:26 -0500
Authentication-Results: chichestersd.org; dkim=none (message not signed)
header.d=none;chichestersd .org; dmarc=none action=none
header.from=Chichesterscho oldistrict .onmicroso ft.com;
Received: from BN6PR12MB1924.namprd12.pro d.outlook. com (10.175.102.18) by
BN6PR12MB1923.namprd12.pro d.outlook. com (10.175.102.17) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_CB C_SHA384_P 384) id
15.1.829.7; Tue, 10 Jan 2017 15:37:24 +0000
MIME-Version: 1.0
From: Microsoft Outlook
<MicrosoftExchange329e71ec 88ae4615bb c36ab6ce41 109e@Chich esterschoo ldistrict. onmicrosof t.com>
To: <edougherty@chichestersd.o rg>
Date: Tue, 10 Jan 2017 15:37:24 +0000
Content-Type: multipart/report; report-type=delivery-statu s;
boundary="a0b52d82-1420-47 4f-b26e-b6 1f561570cd "
X-MS-Exchange-Message-Is-N dr:
Content-Language: en-US
Message-ID: <eaf635b4-cafa-4607-a2fb-d 0748a77fbe b@BN6PR12M B1924.namp rd12.prod. outlook.co m>
Subject: Undeliverable: GraphTransactionItem:gti
gti.TransactionId:bc98ba9c -aa1a-49bf -82a5-db3f 1797a1f5
gti.Name:UpdateSecondarySh allowCopy
Auto-Submitted: auto-replied
X-MS-Office365-Filtering-C orrelation -Id: 54ec59a3-b6ba-44ad-ed75-08 d4396e931b
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEI D:(22001); SRVR:BN6PR 12MB1923;
X-Microsoft-Exchange-Diagn ostics: 1;BN6PR12MB1923;3:En4w4vPO PvXmaA3gmN l8Wqapn5/k kaCMeMG6vW j8IIh0GqcX glOGMoMMLp qD7LFPWSkM CeaP+LIOLj zM31Dzegya pjg/uWllfR LBVHOSI0TU AsoUiEQwop P2epC28IO2 kYcGxVFy7a VxVN9O2Kr2 8VR6QIZfon SWjgz6Z6jX 6BN48gkscV hXF4lDwSnf ms4UNXNEjL Ptgqfh+Tb4 0i+5prxgOD jlGmn9dm/E E0PG14UkJ2 I5w6ppBOsx cIJMQPu32q LVZOhP3Pk/ XDz1t1qR0g ==;25:GATb PhSXxXIi7J KE7aZpp0Uq ctqBdQYjvc djjs/ELLs6 i3Z5WGvR60 cX37fS2/O9 ZkTWy6GrqH qXFMRLESS2 EAl23MgzIl xNjViU2o5l YC2jc3pZ2Z XMlopJr7B7 oipzm3oqtQ P6rFDnvVXB OZkcM1L6r9 c+6YF2NW3d n9tds6+dJv y3psF/WNYR 26hb8GGmP9 tKXSDmKU2o +22bMuI0Ey WY8OlKdsDK GRj+/hwI1C NQReIvxvkK WRIsjB38Hq aVjXWR0you 1GjlyJoGNL 4opm39X5/K Yehn5c9H/q v1bUGsz6sB G3XVUnZWbJ Lhu1q0vIZd NHjBbja0Rf N3cu6sdFrK qxu1MkRGEp ek0GiWc+cS 2f6JjQY8QK Bcfgr43rt5 pJmj+KbYap 6PyvqsR3DN OG1RaZ9Yyh QV+AF4/8ZG gaijUH+zFH 0OyMPifc0d OMmN6c/7G5 LoSk/DzazP ZAiWG5lJTF XFI5ei2NJD dbj9Ngj/1Y b4yVTTeNvz OrdwMcXXGY GpAXP4ajdS K63U+hg2Jg qKiGSJA3Uq f2j6SogRMu 36KIUORXnO bBgDN/Mdpq Ui
X-LD-Processed: 442302a7-e962-42a4-9b7b-ce aaf9c037ce ,ExtAddr
X-Microsoft-Exchange-Diagn ostics: 1;BN6PR12MB1923;31:2JYNnZP YMuPj956WP HUFSvXnUm2 uwi8fDj3w3 rEvq/nhzd5 CxCdwN2uDD wMRds1AeKw PdMjlAPhuo ek9egPsU0H BK0PwHGN2j xXc1dSrqCe LcfpwVFoW2 kpFmonFPNk Ae+FqPH/87 Js0CGybJAM OoAmky/Uy4 FqZS83ZRkz 8gPej1LWOl jRvdt82IOq omPM2XLOIr FBItRDjbgI gu0J5qmmfc ViZiqwqsNn 5L2haZjFQB PSyylou3ds loS6jNgLft 7b/JqGg2Mk 9jvHYVpyun NmpwQBKlUZ rRZhMS28e8 t5E9Wbt1uO Lxs0PWb2l2 qHMq27x6e9 FSbCxA0FY5 xlrT0cYBZA yLJVzGKiHw YU6Cuw=;4: 0sXAOBvq1o b0N/01EO96 LPKvjhZCWP XKM/ik2PWO q+fwiaNZb/ j5/cEKvtmO W4sHlcfGd1 fK1rFwVL4B gwKkmvBcxz T0w+8TPDRg bdpAHSygJp U5iemXFzpO MXV7PYBSHG FF+/qe628T eumcrv8cXj EBjnDh2AVo bm1oBh+fQh qmQ/GeZkAE ZZw0wo1E+G 7xSpqpLieg YCpfMo3MKP uqDo4RgIUT 08NJamK3KI QrOSXwPUIB Er7c1hAl+m LoJyk7OwgF HRfxxYYc7F aof5PVZj3C peFaXLGwI7 AMgn3hq4bA CiQ9aU+Lk0 bACwurj24P G+sXqx1hSo 809E2QAjT2 OG0x68tr73 M+RS7gS8ac K4+sPkrlm+ Yq/6+9oFc/ fWj4HUzBhX VbTK+ofp+t SXY7D2mAYU +sn0PnScOS 1vTBOfe1jN voN4IUeMQI 6w3LlOnvon YxeanZEqbU snwIolEIkI vA/9NceuYa FjEaIXjph9 vrePPp2alq Ks7T8E7eGI NSorD4k+xn G7l48JjbTj E9AQ==
X-Exchange-Antispam-Report -Test: UriScan:(158342451672863)( 1899309542 65078)(712 5037858878 9);
X-Exchange-Antispam-Report -CFA-Test: BCL:0;PCL:0;RULEID:(102415 395)(91015 24098)(601 004)(24010 47)(812150 1046)(3002 001)(10201 501046);SR VR:BN6PR12 MB1923;BCL :0;PCL:0;R ULEID:;SRV R:BN6PR12M B1923;
X-Forefront-Antispam-Repor t: SFV:SKI;SFS:;DIR:INB;SFP:; SCL:-1;SRV R:BN6PR12M B1923;H:BN 6PR12MB192 4.namprd12 .prod.outl ook.com;FP R:;SPF:Non e;LANG:en;
X-Microsoft-Exchange-Diagn ostics: 1;BN6PR12MB1923;23:xa+JoEX Ls9FzMNzD3 x8+TRXX9Q+ HN/2pg7dB6 p4uU4kzZ3k T5ElrCZgZW j1N0wiqT9d fgOO6bpU14 qZtmWLWeZ/ Bn4PvDktxu MTHqQM0hf7 O3RXl4HuJi qqKxZHK4DD 2O/+2R3a1V sGkPZw1uN4 Lkw==;6:OF ytlviuh2SW Yodgq3YoLS FBCEflTq5F sAgIePvwDl dMpjt5a286 hJZp7k+HYt pGtAb0PRDh GJsQTAyWOM 68gPb+okOv LXZ1ig599J y39IFwOb1R GuNuczIRF5 VV/K6GHcQn l0KLAkPxBx 67ygyV2GZY 5Die6wTvDU DCRVF8IPSX OpmIrCqmIC FVXM5o9FMN UoBX07d+xS 2SVFRjRcQn SHZJsFxm9v 2iI5VNxCu4 iiL8ywEm5m 8Cc1oEq5tj VdWzxuMlzy Zjs/rQ+Sjv Za9dWNwUO8 rAbNJ64mM/ raMrC79/sK fjdFEmUXmY /ugiLKzHDy Ivk3Qpv6sH YJo9dXmlB4 OZV2nfHhVz U4NMnuJ5PD XrAVmOdbhX hNcU5fIF9L 4PwtlJ9wQs F/eCyhlwQy jMV+sg64HD qNrd402DMO y1B5A=;5:V GbV+oCJwUr R2kT78VGHl r+6khsFaF/ WqJCqt9FAt xkg9CZyn7R nr6Wbkjqid XVkgxdR1VV V8Yt00SlvS utvV76QZ07 CP0iDtl39D oAtquJZhMh iuwuZ8V2iZ I9l7fpl0Ei 9Imf6T0IRG TGedS3a+Q= =;24:Jw+GU fZDr67tGXc iEU6ILziMX FO5SVHnIj6 O9KucaF6um +xMW7RsBbc dDYnFAqcex EMqvACIeA7 mKNBGtcjTr rQ1iARCxMi Jy38RDZXmx 1A=
SpamDiagnosticOutput: 1:0
X-Microsoft-Exchange-Diagn ostics: 1;BN6PR12MB1923;7:0xSmknCE FXFAx2Bdtg Dwvz83fOVH blNK46lguJ z/H4F6qzmT DKuKC3xw0u xOvx5BcIby ECOENBWXsK EsO4Kwxhn8 7Kf6J1wmvu D4Lj8hE7XF vZTOU+34Rc z4dOnDltLj FSVJnEgS1R AViqfTqdMI DlWOJ2O53j UY8h9rkov+ suqKyKlqkx AjTxobCIFK LhmskF+dUg JwbaXTDtVf M8xgQ3M13Z e4lOb2fO2N PWBD+MxwW2 yd+Zh0USUX G4qvkdpvJb y9+FaswQFT a29O/OUElt g0fGg/8KM1 EjPc1Bk2jV mEkGEEs8ue klZGDzv8eM GFiH8fIDSY w6F9338Ic2 reInav/VK7 V6Y98XHmAI 4Pp848ixIY 9hiPugTqOY REvstWWkyQ 7ee1axrUsQ O5lgK06O5T H/k+oJ7726 5XpcC4s3Oy BeGHsG9+dx wJlJg+9cgJ Hd1G9qo5GU +oc55fus5L iA==
X-MS-Exchange-CrossTenant- OriginalAr rivalTime: 10 Jan 2017 15:37:24.3339
(UTC)
X-MS-Exchange-CrossTenant- FromEntity Header: Hosted
X-MS-Exchange-Transport-Cr ossTenantH eadersStam ped: BN6PR12MB1923
X-OrganizationHeadersPrese rved: BN6PR12MB1923.namprd12.pro d.outlook. com
X-Proofpoint-Virus-Version : vendor=fsecure engine=2.50.10432:5.15.154 ,1.0.8,0.0 .0000
definitions=2017-01-10_12: 2017-01-10 ,2017-01-1 0,1970-01- 01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=3 spamscore=0 ndrscore=3 suspectscore=3
adjustscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam
adjust=0 reason=mlx scancount=1 engine=7.0.1-1603290000
definitions=main-170110022 3
Return-Path: <>
X-MS-Exchange-Organization -AuthSourc e: Chi-CAS-01.chi-sd.com
X-MS-Exchange-Organization -AuthAs: Anonymous
X-CrossPremisesHeadersFilt ered: Chi-CAS-01.chi-sd.com
Attached are msg traces from O365 EAC
I currently have several users that are getting slammed with NDRs. These appear to be generated from our onmicrosoft.com domain. Both users have mailbox on On-Prem Exchange 2010
Environment:
Office 365 Exchange online - Hybrid - Exchange 2010. We have our Staff onprem and students in Exchange Online.
All users are licensed users and have accounts to 0365.
I have 2 users that are getting NDRs delivered to them every few minutes. Looking at the headers it appears to be coming from a schooldistrct.onmicrosoft.
Backscatter is enabled Exchange online and I have recipient filter enabled on-prem
Any help with this would be greatly appreciated.
Headers from the orginal message attached in the NDR:
Received: from BN6PR12MB1924.namprd12.pro
BN6PR12MB1924.namprd12.pro
15.01.0829.013; Tue, 10 Jan 2017 15:37:24 +0000
MIME-Version: 1.0
Content-Type: text/plain
Date: Tue, 10 Jan 2017 15:37:24 +0000
Message-ID: <BN6PR12MB19248124FBE3511A
Subject: GraphTransactionItem:gti
gti.TransactionId:bc98ba9c
gti.Name:UpdateSecondarySh
Headers from the NDR:
Received: from mail.chichestersd.org (10.30.1.19) by Chi-CAS-01.chi-sd.com
(10.30.1.39) with Microsoft SMTP Server id 14.3.146.0; Tue, 10 Jan 2017
10:36:49 -0500
Received: from pps.filterd (chichestersd-production-v
by chichestersd-production-vm
v0AFU00p008158 for <edougherty@chichestersd.o
-0500
Received: from nam01-sn1-obe.outbound.pro
(mail-sn1nam01lp0120.outbo
chichestersd-production-vm
(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for
<edougherty@chichestersd.o
Authentication-Results: chichestersd.org; dkim=none (message not signed)
header.d=none;chichestersd
header.from=Chichesterscho
Received: from BN6PR12MB1924.namprd12.pro
BN6PR12MB1923.namprd12.pro
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_
15.1.829.7; Tue, 10 Jan 2017 15:37:24 +0000
MIME-Version: 1.0
From: Microsoft Outlook
<MicrosoftExchange329e71ec
To: <edougherty@chichestersd.o
Date: Tue, 10 Jan 2017 15:37:24 +0000
Content-Type: multipart/report; report-type=delivery-statu
boundary="a0b52d82-1420-47
X-MS-Exchange-Message-Is-N
Content-Language: en-US
Message-ID: <eaf635b4-cafa-4607-a2fb-d
Subject: Undeliverable: GraphTransactionItem:gti
gti.TransactionId:bc98ba9c
gti.Name:UpdateSecondarySh
Auto-Submitted: auto-replied
X-MS-Office365-Filtering-C
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEI
X-Microsoft-Exchange-Diagn
X-LD-Processed: 442302a7-e962-42a4-9b7b-ce
X-Microsoft-Exchange-Diagn
X-Exchange-Antispam-Report
X-Exchange-Antispam-Report
X-Forefront-Antispam-Repor
X-Microsoft-Exchange-Diagn
SpamDiagnosticOutput: 1:0
X-Microsoft-Exchange-Diagn
X-MS-Exchange-CrossTenant-
(UTC)
X-MS-Exchange-CrossTenant-
X-MS-Exchange-Transport-Cr
X-OrganizationHeadersPrese
X-Proofpoint-Virus-Version
definitions=2017-01-10_12:
X-Proofpoint-Spam-Details:
adjustscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam
adjust=0 reason=mlx scancount=1 engine=7.0.1-1603290000
definitions=main-170110022
Return-Path: <>
X-MS-Exchange-Organization
X-MS-Exchange-Organization
X-CrossPremisesHeadersFilt
Attached are msg traces from O365 EAC
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the responses. This ended up being a Microsoft Tenant issue.
https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_other/office-365-mail-flow-backscatter/b3997119-95c4-4cb6-9753-f746b49571e3?page=3&msgId=81457760-339e-4bce-a8b0-7a0324206e29
https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_other/office-365-mail-flow-backscatter/b3997119-95c4-4cb6-9753-f746b49571e3?page=3&msgId=81457760-339e-4bce-a8b0-7a0324206e29
ASKER
Thank you for the response. Your insight is much appreciated.
Neither of the sender's are in a specific whitelist (since they are our domains) The msgs is being generated from what appears to be an exchange online server with our Tenant xxxx.onmircosoft.com. The route the mail is taking is through our Office 365 send connector which we setup when configuring our hybrid environment. We have nothing setup on proofpoint which explicitly whitelists the sender.
We have opened an incident with MS. since the generating server of the ndr is MWHPR12MB1807.namprd12.pro
Any help or insight is greatly appreciated.