Blog‎ > ‎

Exchange Backscatter

posted Sep 4, 2010, 10:39 PM by Jeremy Walker   [ updated Sep 8, 2010, 8:19 AM ]
If it weren't too late for me, I'd explain what backscatter is, but for now googling it will have to suffice. Either way, Microsoft programmed Exchange to "backscatter" out of the box...which for my customers is bad...VERY bad. In the case that all the googling you did for "backscatter" did not give you a real reason why it is bad, let me take a stab at it. Backscatter from Exchange in any organization where the domain name is tagged by spamming can cause the server's public IP address to be BANNED! Oh my...I did say banned right? Allow me to say it again...BANNED! That's right, "backscatter" equals banned, but in most cases, not permanently. Although it may not happen immediately, it is inevitable that the backscatter from an Exchange server will eventually get the server's public IP address flagged by one of the many well-known block-lists on the internet. I did say it wasn't can query the block-list (sometimes for a fee) to be removed from the list. But, that's not a permanent solution is it? Keep reading...

Now that I've fervently expressed my opinion on the matter, here's how to fix it...or at least a starting point. Exchange, in all of its incarnations has the ability to return an error to the sending mail server or client if the recipient of the message is not registered in its list of users. However, this feature is not enabled by default. Your mission, if you chose to accept it, is to find this option and ENABLE IT. Each incarnation of Exchange has this option in a different place and each incarnation has a different name for the list. In Exchange 2003 its called the "Directory". In Exchange 2007 its called the "Global Address List". In Exchange 2010...I haven't looked yet, ha! You're going to have to find that on your own, but here's a clue: try googling for "filter recipients who are not in the directory" for Exchange 2003. Exchange 2007 has an additional and possibly better approach to solving this...disabling the NDR all together. Try googling for "exchange 2007 disable ndr" for many articles on how to do that.

(Edit 9/8/2010)
I did a simple search on for "exchange 2003 disable NDR" and found an article from Microsoft itself on how to disable NDRs. Disabling NDR instead of matching recipients to the directory is a much better way of solving this. If you just enable the matching, then spammers will be able to harvest user names through brute-force. Leaving the recipient filter alone and only disabling NDR will prevent backscatter and harvesting.

Did you say tarpitting? Google it!