How to stop Backscatter (NDR) from spoofed Mail address


some one is sending mails from a spoofed mail account from our domain ( to hundreds, sometimes thousands of non existant russian E-Mail addresses.
The web hosts send out NDRs to the non existant address on our server, however these mails are delivered to a catch-all address.

So every few weeks the catch-all mailbox gets flooded with a few hundred or a thousand NDRs, caused by a spoofed mail address.
There are always dozens mails that are similar, but most of them vary in the subject, sender, recipient, mail server and IP adresses. I can't find anything reliable to filter for except the whole *.ru domain.

How can we block those mails from being delivered to our catch-all account?
The web hosts sending the NDRs appear to be legit, at least some times. They don't get blocked by our spam lists of course.

I thought about using the Backscatterer Blacklist, but I'm not sure if it will help in this case.
Also it has a high risk of false positives and my boss is rather careful and accepts more incoming spam the users have to delete rather than legit orders get blocked by Spam Filters.

I hope you have some recommendations.

One thing I want to add: We do not send NDRs at all. We are using an Exchange Server 2016.

Best Answer

You should implement a Bounce Address Tag Validation solution, I am not sure if Exchange 2016 do it out of the box.

If you have EOP it works:

I don't have an Exchange 2016, but you could try this:

There are also third-party solutions:


Related Topic