Cannot get rid of backscatter, the emails don't get caught by the backscatter ext agent - ORF Forums

Cannot get rid of backscatter, the emails don't get caught by the backscatter ext agent RSS Back to forum

1

We are getting loads of backscatter and the external agent is in fact working, it gets a few but the majority are not stopped. They are all passed in the ORF log and in the user's Outlook they all appear as:-

From Microsoft Outlook Subject Undeliverable: xxxxxx
From Microsoft Outlook Subject Delivery Delayed: xxxxxxx

They aren't from Microsoft Outlook and I can't filter them out by matching the sender Microsoft Outlook.

What can I do about these?

by bryan.ferguson 7 years ago
2

Hello Byan,

We have an entire page dedicated to the backscatter phenomenon at http://www.vamsoft.com/howto-stop-backscatter.asp

Please try to implement the solutions listed on the website and let me know if you need further assistance.

by Daniel Novak (Vamsoft) 7 years ago
3

Yes I followed everything on that page weeks ago. It has had plenty of time to reduce the spam. Some of these things were already set from your best practices guide, but changing the others has made no improvement. I still cannot get rid of the backscatter.

* Disable NDRS - done that a month ago

* Reject don't bounce - already set

* Drop your secondary MX - done that a week ago, we had 2 extras from our ISP

* Drop emails silenty on arrival - already set

* Publish spf records - I tightened them a month ago up from ~all to -all and it is currently
v=spf1 a mx include:spf.dynect.net include:wordfly.com -all
We need the 2 includes for mailouts from a web sales site

* Use the backscatter protection agent - we've had it in place for years, I can see it is working in the logs but it only detects a few out of the hundreds

by bryan.ferguson 7 years ago
4

@bryan.ferguson: Hello Bryan,

Backscatter has not been a big issue for us so forgive me if this is ground you've already covered.

If you for a moment just think of these NDRs as spam and then approach it like any other spam, do you think you could find some set of rules to add to ORF that would stop them from reaching your users Inbox?

You can look for patterns in the subject, the email header (especially if it claims to come from your mail domain), the sender (from Microsoft Outlook, really?), the content (any unique things to latch onto?), strange links, etc.

For example, I've used words/phrases in my sender blacklists, not just email domains, which can be useful.

I hope this helps...

by Sam Russo 7 years ago
(in reply to this post)

5

@Sam Russo: Thanks Sam,

Because only a few email addresses are spammed, I have put server side mail rules on those accounts to remove any email subject line containing "Undelivered" or "Delayed". It deletes most of them. But the subject line can say anything so there will be 2 or 3 a day often in non-english. But I would really like them to stop completely. The backscatter agent catches almost none of them.

The most annoying thing is these emails come from the exchange server itself as the sender. Outlook sees the sender as Microsoft Outlook and the email address behind it appears to be our exchange server with the ID of numbers. Is it possible that something on our network is sending spam? Gosh, is our Exchange server sending spam? We're not blacklist so I don't think so.

by bryan.ferguson 7 years ago
(in reply to this post)

6

@bryan.ferguson: OK, its us. A PC on the network is sending spam out through the Exchange server. Sorry, should have known this before. Thanks for your help though!

by bryan.ferguson 7 years ago
(in reply to this post)

7

@bryan.ferguson: Good find.

To stop this in the future you can add an outbound firewall rule to block outbound port 25 connections for anything except your mail server.

Desktop/Laptop firewall and/or anti-virus settings can also block port 25 connections.

Also, if you are using Exchange Edge w ORF on the Edge server, the outbound emails are easy to spot right in the ORF log. Of course you still have all the Exchange logs too when you need to dig deeper.

by Sam Russo 7 years ago
(in reply to this post)

8

@Sam Russo: Just re-read and I now realize blocking port 25 would not have stopped outbound emails via your exchange server. It's still good to do. Anyway, glad you found it.

by Sam Russo 7 years ago
(in reply to this post)

9

The ORF logs had the information right there. Just sort by subject line, find a spam subject and there's the original being sent out and the backscatter coming back in.

I feel so stoopid for not seeing it earlier.

Cheers!

by bryan.ferguson 7 years ago
10

Thank you for the update Bryan. I am glad to hear you found the source of the issue.

If we can be of any further assistance, just let us know.

by Daniel Novak (Vamsoft) 7 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2