Improving Backscatter detection with Boomerang

One of the features we have been working on in Office 365/Exchange Online Protection (EOP) is called Boomerang which is a mechanism to better detect backscatter spam.

 

image

Image taken from here.

 

What is Backscatter?

Backscatter spam occurs when a spammer spoofs your email address and sends it to a random person on the Internet. The random person’s mail server accepts the email message and then later discovers it can’t deliver it. There are a few reasons why this occurs:

  • The random person’s mailbox is full
  • The random person’s mail server rejects spam
  • The random person’s email address does not exist

When that happens, the random person’s mail server sends a bounce message (non-delivery receipt, or NDR) back to the sender saying “Sorry, I could not deliver this message.” However, instead of sending it back to the spammer who sent the message, the mail server sends it back to you.

You then receive this NDR in your mailbox indicating that the message “you” sent could not be delivered. But rather than being informed “your” message bounced, you say “Why am I getting bounces for a message I never sent?” Often times, these bounces contain spam.

It can be very irritating for end users.

Fighting Backscatter with Boomerang

We currently have some basic Backscatter detection in EOP but we are making it better – much better. It uses a technique called Boomerang which borrows from how Hotmail does backscatter prevention. It uses a cryptographic hash that encodes the original sender into the message, and then decodes the hash when it receives a bounce message intended for someone. I won’t go into the full details, but it is similar to Bounce Address Tag Validation (BATV).

Boomerang does more than BATV, however; it also is used to detect conversations between end-users, and it looks at where the end user’s mailbox is located when making a filtering decision.

Enabling Boomerang and Backscatter Prevention

We’ve gone to a lot of effort to ensure that this change is seamless for end users – your filtering experience should get better and you won’t have to do much, if any, work.

  • If you have a hosted mailbox, you don’t have to do anything.

    You will get Boomerang automatically, and it will automatically figure out the right thing to do. You don’t have to turn it on, but nor can you turn it off even if you login to the Exchange Admin Center (EAC) and disable the rule.

    In the tables below, for both Current and New Behavior, regular filtering includes spoof detection wherein messages that are clearly forged are marked as spam.

    Table of behavior for Backscatter for customers with hosted mailboxes

    NDR Backscatter Setting Current Behavior New Behavior
    Off NDRs go through regular filtering Legitimate NDRs are delivered, backscatter is marked as spam
    On All NDRs are marked as spam, legitimate and backscatter Legitimate NDRs are delivered, backscatter is marked as spam
  • If you are an on-premise customer (wherein email passes through EOP and is relayed to your on-premise mail server), you need to enable it through the Exchange Admin Center (EAC).

    To do this:

    1. Login to the EAC

    2. Navigate to Admin (top right) –> protection (on left side of screen) –> content filter –> open up a policy –> advanced options –> enable NDR backscatterimage

    It is not required for you to enable this rule if it is currently off [1]. However, if you send outbound email through Office 365, we recommend you turn it on.

    Table of behavior for Backscatter for on-premise customers (without hosted mailboxes)

    NDR Backscatter Setting Current Behavior New Behavior
    Off NDRs go through regular filtering NDRs go through regular filtering
    On All NDRs are marked as spam, legitimate and backscatter Legitimate NDRs are delivered, backscatter is marked as spam

 

IMPORTANT!

If you are an on-premise customer and enable this rule but do not route outbound email through Office 365, all NDRs – legitimate and backscatter – will be marked as spam [2].

  • If you are a hybrid customer and have some of your mailboxes hosted with Exchange Online and some of your mailboxes in your on-premise environment, your experience will be more complex.

    The service will look at where the mailbox is before taking action. It will treat the hosted mailboxes as above – legitimate NDRs will be delivered and backscatter will be marked as spam.

    For the on-premise (non-hosted) mailboxes, it depends on what the Advance Spam Filter setting is. If it is enabled, legitimate NDRs will be delivered and backscatter marked as spam. If not enabled, it will go through regular filtering where it may or may not be marked as spam.

    We recommend enabling this rule if all outbound email flows through EOP. If you have a split scenario where some outbound email flows through EOP and some doesn’t, then enabling this rule may generate false positives because legitimate NDRs will be marked as spam. However, if you don’t enable this rule you may get backscatter spam in your on-premise mailbox because the regular spam filter may not catch it.

Conclusion

We hope that this helps customers catch more backscatter spam than previously. If you have problems with this feature – either it catches too much or not enough – please let us know.

Thanks for reading.


[1] Some customers have problems with backscatter spam; by enabling the Advanced Spam Rule today, backscatter does go down but unfortunately legitimate NDRs are marked as spam. Boomerang will solve that problem.

However, many other customers do not have problems with backscatter and therefore don’t have the Advanced Spam Rule enabled. After Boomerang is released, these customers will have the same experience and therefore don’t need to enable it. However, if they send outbound email through EOP we still recommend enabling it so that they have proactive protection in case backscatter ever does become a problem in the future.

[2] Boomerang works by looking for cryptographic tags in the bounce message. If the bounce message does not contain the tag, the message is backscatter. Because outbound messages that flow do not flow through EOP may still bounce back in through EOP, Boomerang will be confused and think that the missing tag that EOP inserts is due to the message being spoofed. However, in reality, the message was not supposed to contain the tag. Unfortunately, there is no way to sync that back to EOP and Boomerang if the ASF rule is enabled.

This is true for every case of sending outbound email. If your domain's MX record points to EOP and you send outbound email not through EOP: 

  • Through your own on-premise mail server direct to the Internet, and it bounces back into EOP
  • Through third party bulk email providers (ESPs), and mail bounces back into EOP
  • Through third party hosting infrastructure, and mail bounces back into EOP

All of this email will be marked as spam if you have a hosted tenant; or have enabled the ASF rule for backscatter spam and you are an on-prem tenant; or you are a hybrid customer and you have your mail flow configured in a certain way. There is no way to turn off this behavior, as explained above. The only way around it is to create Exchange Transport Allow rules for NDR bounces going to a specific mailbox or mailboxes if that's where your bounces are directed to.