How to check for NDR spam (BackScatter)

The information in this article applies to:

  • GFI MailEssentials for Exchange/SMTP 11
  • GFI MailEssentials for Exchange/SMTP 12
  • GFI MailEssentials for Exchange/SMTP 14

Article ID: KBID003322

Query keywords: backscatter, NDR, NDR Spam, spam

This article provides more information on Backscatter emails, also referred to as NDR Spam, and how GFI MailEssentials can be configured to block this type of spam emails.

Note: The NDR Spam check is disabled by default in GFI MailEssentials 14 SR1 (build 20081024). GFI MailEssentials 14 includes the SpamRazer engine which can be used to block NDR Spam.

More Information

NDR Spam is generated when the spammer sends an email to a non-existent email address and the sender of such emails is spoofed to be a valid email address in your domain. Thus, the NDR generated for the spammer’s email will be sent to a user in your organization.

GFI MailEssentials can be configured to block the NDR Spam emails generated by other servers. GFI MailEssentials also can be configured to block the first email from the spammer, thus avoiding having your server generating NDR spam.

Solution

Upgrade to GFI MailEssentials 12 build 20080508 or higher which include the following new checks which target NDR Spam.

Note: Any registry values mentioned below can be found in [HKLM\SOFTWARE\GFI\ME<version>\Config] for 32-bit systems, or [HKLM\Software\Wow6432Node\ME<version>\Config] for 64-bit systems.

  • GFI MailEssentials scans all NDR emails by default.
    This functionality is controlled by the ASE_SCANDSN (dword) value which is enabled by default (set to ‘1’. If this registry key is set to ‘0’, GFI MailEssentials will not perform any scanning on NDR messages.
      
  • Most NDR emails have the original email attached to the NDR. GFI MailEssentials has been updated to scan this email using Keyword Checking, Bayesian filter, Spam URI Realtime Blocklist (SURBL) and DNS Blacklist. The action configured for the specific anti-spam module will be applied to NDR spam detected by the module.
      
  • The NewSenders module checks the recipient of the email attached in the NDR message against the Auto Whitelist.
    This functionality is enabled by default, and can be disabled by creating and setting the ‘NDRSpamNewSenders’ (dword) value to ‘0’. If the registry value does not exist, its value is assumed to be '1' (enabled).
    NewSenders does not need to be enabled in the GFI MailEssentials configuration for this feature to work. The AutoWhitelist would however need to be enabled. The action configured for NewSenders will be applied to NDR spam detected in this case.
       
  • Some servers do not include the original email in the NDR email. In this case, the NewSenders module will verify the domain of the sender of the NDR message with the domains of the email addresses in the Autowhitelist.
    This functionality is enabled by default, and can be disabled by creatiing and setting the NDRSpamAllowSameDomain (dword) value to ‘0’. If the registry value does not exist, its value is assumed to be '1' (enabled).
    NewSenders does not need to be enabled in the GFI MailEssentials configuration for this feature to work. The AutoWhitelist would however need to be enabled. The action configured for NewSenders will be applied to NDR spam detected in this case.

If any registry values are altered, you would need to restart the following services:

  • If using IIS or Exchange 2000 / 2003, restart the ‘IIS Admin’ service and all dependant services. 
  • If using Exchange 2007, restart the 'GFI MailEssentials Scan Engine' service.

You can also configure GFI MailEssentials to block emails sent from spammers to non-existent users, preventing your server from generating NDR spam emails. This can be done by enabling the Directory Harvesting Anti-Spam module.

For more information please see the White paper about blocking NDR spam

Notes:

  • The functionality of the NewSenders has been retained so as to process emails which are not found to be DSN messages. 
  • If you need to disable the scanning done on NDR emails, you would need to set ASE_SCANDSN (dword) to ‘0’.

Download the latest version of GFI MailEssentials for Exchange/SMTP:

If installing on Microsoft IIS SMTP (x86), Microsoft Exchange Server 2000, or Microsoft Exchange Server 2003, then you need to download the x86 version of GFI MailEssentials:
http://software.gfi.com/mailessentials.exe

If installing on Microsoft Exchange Server 2007, then you need to download the x64 version of GFI MailEssentials:
http://ftp.gfi.com/mailessentials14_x64.exe

 

Get the latest SPAM news at AllSpammedUp.com!