Backscatter SPAM

A quick tidbit of information on Backscatter SPAM, as I fix a customer’s servers …

Backscatter SPAM is a way for Mr. Spammer to email Mrs. Victim indirectly. Mr. Spammer sends an email spoofed from Mrs. Victim’s account to a non-existent account on your domain and server. If things are set up (in)correctly, your email server will accept that email, find out it cannot deliver it and then send the email back to what it thinks the sender’s address is – Mrs. Victim – effectively delivering the message while trying to be helpful.

Here’s what a mail queue will look like full of Backscatter SPAM:

Backscatter

You’ll have a bunch of Undeliverable: messages sitting in your queue, not delivered because the remote end is refusing it (identifying it as SPAM) with a 400 4.4.7 Message Delayed error. You might even find yourself on a blacklist.

Fixing this is (fortunately) pretty easy on an Exchange server – here’s my four-step fix.

Turn off NDR Reports for External Domains

This is simple. Open the Exchange Admin Console and go to Organization Configuration -> Hub Transport. Once there, a tab for Remote Domains will be visible – click that, and configure each domain as shown:

Backscatter2

(For each remote domain, uncheck Allow non-delivery reports in the Message Format tab)

Turn On Recipient Filtering

Many people disable the Exchange Anti-SPAM options to reduce trouble, but the Recipient Filtering service can only help things – reject emails destined for non-existent mailboxes before you accept the message. In Organization Configuration -> Hub Transport, select Anti-spam. Right-click Recipient Filtering to enable it, then edit it as shown below:

Backscatter1

(In the Blocked Recipients tab, make sure Block messages sent to recipients that do not exist in the directory is checked.)

Clear out your Mail Queue

Open the mail queue appropriate for your Exchange (Exchange 2007-2013 have it in the Exchange Console) and delete any messages (obviously without NDR) that are stuck. Simple enough.

Check for blacklisting

Using a service like MXToolbox or the like, check your IP for any blacklist entries and perform the necessary steps to remove yourself – but only after the above steps, or you’ll end up right back on it – and sometimes, ending up back on it enough times can result in a permanent ban!