A point for system administrators using GreenNet as an outgoing server, particularly those running Microsoft Exchange.
Backscatter means bounces to innocent email users whose addresses have been forged in spam. It may seem a minor problem, but it can mean annoyance to other internet users, complaints, and presents us as your outgoing server with a risk of being blocklisted.
Consider the following situation: spam and viruses go directly to the primary mail server (the first MX record), which may be your Exchange server* (*other office mail servers are available). Your mail server may be configured to accept the message intitially and then bounce it when no mailbox is found or it is blocked. This is bad practice as the bounce is likely to go to a faked sender address. Sometimes this may even include a live piece of malware.
If these bounces are set to go out through GreenNet, we'll filter out most malware and much spam from these bounces, but the process isn't perfect, and it's much better to prevent the backscatter being sent in the first place. We don't want to be seen as a source of unwanted and confusing bounces. One way of minimising the backscatter is to have GreenNet listed as the first MX and so take advantage of our spam filtering service. That way you receive much less spam, and there's much less to bounce.
We've also seen spam sent directly to the Exchange server when the MX records are elsewhere, so to cut out backscatter by this method, you will probably also want to reject or firewall mail from anywhere other than GreenNet, using these instructions.
Stopping backscatter from MS Exchange
There are a couple of ways to stop the Exchange server sending bounces to faked addresses in response to any spam that does get through:
- "Create a recipient filter to prevent Exchange Server from accepting messages that are sent to recipients who do not exist"
- For Exchange 2003 this is described in step 2 here: http://support.microsoft.com/kb/909005 which also gives an early Microsoft summary of the problem.
- For Exchange 2007 Hub servers and later you first need to enable the anti-spam functionality by running
cd "c:\Program Files\Microsoft\Exchange Server\Scripts"and
/install-AntispamAgents.ps1as described here and then go to Edge Transport (or Hub Transport as appropriate) > Anti-spam tab > Recipient Filtering and enable it as described here
- For Exchange 2010, instructions are similar to 2007, go to properties > Blocked recipients and ensure "Block messages set to recipients that do not exist in the directory" is ticked as described here and here.
- For Exchange 2013, see here to enable Exchange anti-spam and then here and here to stop backscatter. The EMC command is "
Set-RecipientFilterConfig -Enabled $true"
- Less preferable is to stop the generation of non-delivery notifications (bounces) altogether as described here: http://support.microsoft.com/kb/294757
- http://www.arrowmail.co.uk/howto/recfilt.aspx (explanation of problem, for Exchange 2003 and 2007)
- http://www.mimecast.com/mc/kb/Mimecast/KBID10762.htm (screenshots for 2003-2010)
- Typical case on Technet, advising recipient filter against active directory, first solution above.