1

some one is sending mails from a spoofed mail account from our domain (randomname@ourdomain.com) to hundreds, sometimes thousands of non existant russian E-Mail addresses. The web hosts send out NDRs to the non existant address on our server, however these mails are delivered to a catch-all address.

So every few weeks the catch-all mailbox gets flooded with a few hundred or a thousand NDRs, caused by a spoofed mail address. There are always dozens mails that are similar, but most of them vary in the subject, sender, recipient, mail server and IP adresses. I can't find anything reliable to filter for except the whole *.ru domain.

How can we block those mails from being delivered to our catch-all account? The web hosts sending the NDRs appear to be legit, at least some times. They don't get blocked by our spam lists of course.

I thought about using the Backscatterer Blacklist, but I'm not sure if it will help in this case. Also it has a high risk of false positives and my boss is rather careful and accepts more incoming spam the users have to delete rather than legit orders get blocked by Spam Filters.

I hope you have some recommendations.

One thing I want to add: We do not send NDRs at all. We are using an Exchange Server 2016.

Rimini
  • 31
  • 4
  • Have you declared SPF data/record in your domain DNS zone? It may **reduce** the problem. – AnFi Jun 28 '19 at 12:22
  • I think you can refer to the similar case: https://community.spiceworks.com/topic/170588-how-to-stop-backscatter. Also read this article to learn more about EOP: https://social.technet.microsoft.com/wiki/contents/articles/30431.eop-new-boomerang-feature-to-prevent-backscatter-reverse-ndr-attack.aspx – joyceshen Jul 01 '19 at 02:07
  • @joyceshen I stumbled across this one. A mail gateway will be considered, if we can't fix this with the given possibilities from Exchange or our Anti Spam solution. – Rimini Jul 01 '19 at 07:00
  • I'll have a look into it thanks. – Rimini Jul 01 '19 at 07:06
  • @AnFi Yes we have, it was already done before I started here but it seems properly configured. – Rimini Jul 01 '19 at 07:09
  • Any updates about your issue? – joyceshen Jul 03 '19 at 05:39
  • Unfortunately not. Our Exchange server receives the mails from our provider that hosts a mail server. However DKIM isn't supported on it. Since Exchange 2016 has no included BATV, we could try another BATV solution or use a commercial Mail-Gateway. Management is not so keen about including the Backscatterer blacklist. – Rimini Jul 04 '19 at 06:40
  • So what about configuraing the recipient filter? Like this case: https://social.technet.microsoft.com/Forums/exchange/en-US/f9ecd357-19a4-43a2-ab01-4e01815c275e/backscatter?forum=exchange2010 – joyceshen Jul 05 '19 at 06:45
  • Wouldn't a catch-all account interfere with a recipient filter? – Rimini Jul 08 '19 at 08:09

1 Answers1

0

You should implement a Bounce Address Tag Validation solution, I am not sure if Exchange 2016 do it out of the box.

If you have EOP it works: https://docs.microsoft.com/pt-br/office365/securitycompliance/backscatter-messages-and-eop

I don't have an Exchange 2016, but you could try this: https://exchangequery.com/category/antispam/

There are also third-party solutions: https://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation

Regards,

Diego Souza
  • 111
  • 4