hi There,

My organization's CEO's email address was spoofed by an external source, due to which our CEO started receiving NDR's from whom the spoofer has sent the emails to. As I have identified the source IP from header(NDRs header), I would like to know how black list the source IP.

Many blogs and websites says to ignore the spoof or to modify the email address or to create rules to delete the NDR emails that are specifically coming from that recipient. but I'm little hesitate to say this to my management as the affected user is CEO.

Hi Magudeeswaran ,

1.Just try to have the SPF record for your domain .Nowdays most of the mail servers in the internet are doing SPF check .So on such case if your CEO address is spoofed to anyone of the domain in internet then the mail server on that domain will do an SPF lookup .Finally it will found that the email is trigerred from an unauthenticated IP address and it rejects the connection.

what is the gateway product you are using in environement ?

Because why i am asking we can make an rule on the product saying that if anyone of the email from internet to your domain which contains from address with your own domain suffix has to be blocked.

1. Yes I agree the SPF record has to be there for every domain, to ensure their emails are authorized.

2. We are using EOP and which is ideally blocking the emails that are sent from outside using our domain name. 

I would like to understand is there anyway I can report to my ISP to black list that IP address? if not , who has access to black list that IP from internet? I dpnt want taht IP to be used to trigger anymore emails? Is MS having enough rights as my gateway product is EOP.

Hi Magudeeswaran M

this is called "backscatter" it's a type of SPAM.

you are received NDR bounce emails from others that didn't sent from you.

may be blacklisted because the spoofer impersonate your account and send spams by your SMTP,

thus you must have the below records in addition SPAM detection solution.

1-SPF record (text record that contains your SMTP servers) there are many online tools for generate this text record

2-PTR record

antispam 

you must have antispam solution or subscribe on online reputation services to defeat against SPAM, like (Exchange Online Protection)

Backscatter messages and Microsoft EOP

https://technet.microsoft.com/en-GB/library/dn499795(v=exchg.150).aspx

Thanks.

• Edited by Abdelrahman M-Attia 20 hours 15 minutes ago

Hi Magudeeswaran M

this is called "backscatter" it's a type of SPAM.

you are received NDR bounce emails from others that didn't sent from you.

may be blacklisted because the spoofer impersonate your account and send spams by your SMTP,

thus you must have the below records in addition SPAM detection solution.

1-SPF record (text record that contains your SMTP servers) there are many online tools for generate this text record

2-PTR record

antispam 

you must have antispam solution or subscribe on online reputation services to defeat against SPAM, like (Exchange Online Protection)

Backscatter messages and Microsoft EOP

https://technet.microsoft.com/en-GB/library/dn499795(v=exchg.150).aspx

Thanks.

• Edited by Abdelrahman M-Attia Wednesday, May 27, 2015 11:12 AM

Hi ,

First check that particular ip address is blacklisted anywhere by using MXtoolbox.If not then you might have an option in the EOP to block the particular ip address.Since it is not blacklisted anywhere in the external Anti SPam database engines so the RBL functionality in EOP will allow the emails from that particular ip address.

At the same time i have found a link please check that and it may help you.

https://technet.microsoft.com/en-us/library/jj200769%28v=exchg.150%29.aspx

Hi,

The above advice are great.
As additional, I want to double confirm whether all outbound message return an NDR or just message sent by your CEO to some particular domain.
Heres an article about official Anti-Spam and Antivirus Mail Flow, for your reference: https://technet.microsoft.com/en-us/library/aa997242%28v=exchg.141%29.aspx

Because of this issue is related to the configuration of destination organization, I recommend contact its administrator to double confirm the configuration of anti-spam filter.
Besides, I recommend run Message tracking log and Protocol log to check the deliver process. More details about Analyzing the protocol logs and Message tracking logs in Exchange 2013:
http://social.technet.microsoft.com/wiki/contents/articles/23182.analyzing-the-protocol-logs-and-message-tracking-logs-in-exchange-2013.aspx

Thanks

hi Everyone,

I have contacted EOP and wanted to take their advise on this, they told me to activate NDR back scatters, which they believe it should stop the NDRs, as a response to that spam emails.

here is how it can be done:

Exchange admin center

protection

spamfilter

Default [Edit]

advanced options

NDR backscatter Off -> On

Save

• Marked as answer by Magudeeswaran M 1 hour 54 minutes ago

hi Everyone,

I have contacted EOP and wanted to take their advise on this, they told me to activate NDR back scatters, which they believe it should stop the NDRs, as a response to that spam emails.

here is how it can be done:

Exchange admin center

protection

spamfilter

Default [Edit]

advanced options

NDR backscatter Off -> On

Save

• Marked as answer by Magudeeswaran M Friday, June 05, 2015 5:34 AM