some one is sending mails from a spoofed mail account from our domain (randomname@ourdomain.com) to hundreds, sometimes thousands of non existant russian E-Mail addresses.
The web hosts send out NDRs to the non existant address on our server, however these mails are delivered to a catch-all address.
So every few weeks the catch-all mailbox gets flooded with a few hundred or a thousand NDRs, caused by a spoofed mail address.
There are always dozens mails that are similar, but most of them vary in the subject, sender, recipient, mail server and IP adresses. I can't find anything reliable to filter for except the whole *.ru domain.
How can we block those mails from being delivered to our catch-all account?
The web hosts sending the NDRs appear to be legit, at least some times. They don't get blocked by our spam lists of course.
I thought about using the Backscatterer Blacklist, but I'm not sure if it will help in this case.
Also it has a high risk of false positives and my boss is rather careful and accepts more incoming spam the users have to delete rather than legit orders get blocked by Spam Filters.
I hope you have some recommendations.
One thing I want to add: We do not send NDRs at all. We are using an Exchange Server 2016.
Best Answer
You should implement a Bounce Address Tag Validation solution, I am not sure if Exchange 2016 do it out of the box.
If you have EOP it works: https://docs.microsoft.com/pt-br/office365/securitycompliance/backscatter-messages-and-eop
I don't have an Exchange 2016, but you could try this: https://exchangequery.com/category/antispam/
There are also third-party solutions: https://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation
Regards,