Improving Backscatter detection with Boomerang


One of the features we have been working on in Office 365/Exchange Online Protection  (EOP) is called Boomerang which is a mechanism to better detect backscatter spam.

 

image

Image taken from here.

 

What is Backscatter?

Backscatter spam occurs when a spammer spoofs your email address and sends it to a random person on the Internet. The random person’s mail server accepts the email message and then later discovers it can’t deliver it. There are a few reasons why this occurs:

  • The random person’s mailbox is full
  • The random person’s mail server rejects spam
  • The random person’s email address does not exist

When that happens, the random person’s mail server sends a bounce message (non-delivery receipt, or NDR) back to the sender saying “Sorry, I could not deliver this message.” However, instead of sending it back to the spammer who sent the message, the mail server sends it back to you.

You then receive this NDR in your mailbox indicating that the message “you” sent could not be delivered. But rather than being informed “your” message bounced, you say “Why am I getting bounces for a message I never sent?” Often times, these bounces contain spam.

It can be very irritating for end users.


Fighting Backscatter with Boomerang

We currently have some basic Backscatter detection in EOP but we are making it better – much better. It uses a technique called Boomerang which borrows from how Hotmail does backscatter prevention. It uses a cryptographic hash that encodes the original sender into the message, and then decodes the hash when it receives a bounce message intended for someone. I won’t go into the full details, but it is similar to Bounce Address Tag Validation (BATV).

Boomerang does more than BATV, however; it also is used to detect conversations between end-users, and it looks at where the end user’s mailbox is located when making a filtering decision.

Enabling Boomerang and Backscatter Prevention

We’ve gone to a lot of effort to ensure that this change is seamless for end users – your filtering experience should get better and you won’t have to do much, if any, work.

  • If you have a hosted mailbox, you don’t have to do anything.

    You will get Boomerang automatically, and it will automatically figure out the right thing to do. You don’t have to turn it on, but nor can you turn it off even if you login to the Exchange Admin Center (EAC) and disable the rule.

    In the tables below, for both Current and New Behavior, regular filtering includes spoof detection wherein messages that are clearly forged are marked as spam.

    Table of behavior for Backscatter for customers with hosted mailboxes

    NDR Backscatter Setting Current Behavior New Behavior
    Off NDRs go through regular filtering Legitimate NDRs are delivered, backscatter is marked as spam
    On All NDRs are marked as spam, legitimate and backscatter Legitimate NDRs are delivered, backscatter is marked as spam



  • If you are an on-premise customer (wherein email passes through EOP and is relayed to your on-premise mail server), you need to enable it through the Exchange Admin Center (EAC).

    To do this:

    1. Login to the EAC

    2. Navigate to Admin (top right) –> protection (on left side of screen) –> content filter –> open up a policy –> advanced options –> enable NDR backscatter

    image
               
    It is not required for you to enable this rule if it is currently off [1]. However, if you send outbound email through Office 365, we recommend you turn it on.

    Table of behavior for Backscatter for on-premise customers (without hosted mailboxes)

    NDR Backscatter Setting Current Behavior New Behavior
    Off NDRs go through regular filtering NDRs go through regular filtering
    On All NDRs are marked as spam, legitimate and backscatter Legitimate NDRs are delivered, backscatter is marked as spam

 

IMPORTANT!

If you are an on-premise customer and enable this rule but do not route outbound email through Office 365, all NDRs – legitimate and backscatter – will be marked as spam [2]. 

  • If you are a hybrid customer and have some of your mailboxes hosted with Exchange Online and some of your mailboxes in your on-premise environment, your experience will be more complex.

    The service will look at where the mailbox is before taking action. It will treat the hosted mailboxes as above – legitimate NDRs will be delivered and backscatter will be marked as spam.

    For the on-premise (non-hosted) mailboxes, it depends on what the Advance Spam Filter setting is. If it is enabled, legitimate NDRs will be delivered and backscatter marked as spam. If not enabled, it will go through regular filtering where it may or may not be marked as spam.

    We recommend enabling this rule if all outbound email flows through EOP. If you have a split scenario where some outbound email flows through EOP and some doesn’t, then enabling this rule may generate false positives because legitimate NDRs will be marked as spam. However, if you don’t enable this rule you may get backscatter spam in your on-premise mailbox because the regular spam filter may not catch it.


Conclusion

We hope that this helps customers catch more backscatter spam than previously. If you have problems with this feature – either it catches too much or not enough – please let us know.

Thanks for reading.



[1] Some customers have problems with backscatter spam; by enabling the Advanced Spam Rule today, backscatter does go down but unfortunately legitimate NDRs are marked as spam. Boomerang will solve that problem.

However, many other customers do not have problems with backscatter and therefore don’t have the Advanced Spam Rule enabled. After Boomerang is released, these customers will have the same experience and therefore don’t need to enable it. However, if they send outbound email through EOP we still recommend enabling it so that they have proactive protection in case backscatter ever does become a problem in the future.

[2] Boomerang works by looking for cryptographic tags in the bounce message. If the bounce message does not contain the tag, the message is backscatter. Because outbound messages that flow do not flow through EOP may still bounce back in through EOP, Boomerang will be confused and think that the missing tag that EOP inserts is due to the message being spoofed. However, in reality, the message was not supposed to contain the tag. Unfortunately, there is no way to sync that back to EOP and Boomerang if the ASF rule is enabled.

This is true for every case of sending outbound email. If your domain's MX record points to EOP and you send outbound email not through EOP: 

  • Through your own on-premise mail server direct to the Internet, and it bounces back into EOP
  • Through third party bulk email providers (ESPs), and mail bounces back into EOP
  • Through third party hosting infrastructure, and mail bounces back into EOP
All of this email will be marked as spam if you have a hosted tenant; or have enabled the ASF rule for backscatter spam and you are an on-prem tenant; or you are a hybrid customer and you have your mail flow configured in a certain way. There is no way to turn off this behavior, as explained above. The only way around it is to create Exchange Transport Allow rules for NDR bounces going to a specific mailbox or mailboxes if that's where your bounces are directed to.

 

Comments (7)

  1. Paul Osborne says:

    Well that is a nice idea but at the same time sounds rather broken, due to:

    1.  not everybody routes their outbound mail through O365 (and so gets EOP signing).

    2.  "You don’t have to turn it on, but nor can you turn it off even if you login to the Exchange Admin Center (EAC) and disable the rule." So the customer has no control over whether it affects their email.

    3.  Legitimate NDRs that originate from customer's own mail services that have been nowhere near O365(EOP) are not going to be delivered.

    So all in, with a mixed environment it seems really rather broken.

  2. AMT says:

    Paul, shouldn't NDRs from legitimate internal mail services reach O365 through connectors that you've already whitelisted? As long as they honor that whitelist, you're still good.

  3. Sal says:

    I have the same issue as Paul. Messages go out through an onsite SMTP server, not O365, but the NDR goes to an O365 account. How can I tell EOP that these are legitimate NDR messages and should be delivered? Our internal server is SMTP only and does not accept messages for delivery. The NDRs go directly to O365 through the SMTP settings in DNS. There is no connector between the two systems, no whitelist to honor.

  4. tzink says:

    @Sal – the only way to tell Office 365 that the messages are legitimate is to disable spam filtering for messages going to that mailbox. You can create an ETR to do this.

  5. Admin says:

    Hybrid Scenario: Mailbox hosted in EXO, but MX is not pointing to EOP. Outbound through EOP. How does Boomerang work here?

  6. Terry Zink says:

    @admin: If outbound is through EOP, but MX not pointing to EOP but mail still gets routed to EOP (e.g., through a connector), then it should still work properly. The header that we look for should be retained within the message.

Skip to main content