Introducing NDR backscatter storm prevention

A few weeks ago, we rolled out NDR backscatter protection with Boomerang for hosted mailboxes in Office 365, and that change is going live this week for customers with on-premise mail servers.

Next up is a feature that builds on top of Boomerang – NDR backscatter storm prevention.

What is an NDR backscatter storm?

Well, normally when a spammer spoofs you and sends a message elsewhere on the Internet, and that elsewhere bounces the message back to you, that’s backscatter. If a single message or two lands in your inbox, that’s annoying.

However, if a spammer spoofs you and sends 10,000 messages as you and all of them bounce back and land in your inbox, that’s not just annoying – it renders your email inbox unusable because all of the NDRs overwhelm the rest of the messages. You can’t find anything. It also slows down your mailbox because of the high volume of messages in there. It’s a situation some people within Microsoft experienced a few weeks ago.

Now that we have Boomerang protection, these types of NDR backscatter messages will get marked as spam. That helps keep your inbox clean but it fills up your junk mail folder or spam quarantine. That, too, can slow down your mailbox or make it difficult to look through for an actual message you may have missed. It’s a Denial-of-service attack on a human; a machine can handle that load of messages but a human cannot.

Where NDR backscatter storm prevention helps is that it can automatically detect if you’re getting a storm of backscatter messages within a short period of time. If so, the first 10 messages get marked as spam but the rest of the storm is deleted. It neither lands in your inbox nor your junk folder (or spam quarantine), the messages are dropped. You can tell when this happens because you’ll see a bunch of NDRs in your junk folder that are all identical. But those NDRs represent only a fraction of what would have hit you. The service has gotten in the way and prevented further delivery.


Image taken from here.

The deleted messages still show up in a message trace with the action that the service took, so you can still see what happened to them. That is, there is still visibility into these types of messages and the route after they were accepted by the service.

This scenario is definitely a corner-case. The number of people this affects is small – it’s only likely to happen with a mail bomb where someone gets mad at someone else and spoofs their email address in an attempt to DOS them with NDRs [1]. But when it happens, it’s frustrating to the person it’s happening to.

And now [2] we have protection for it.

[1] While adaptable for other cases of mail bomb campaigns, the feature right now is only addressing NDR backscatter attacks.

[2] By “now”, I mean we are in the process of rolling it out and should be available by the end of May 2015.


Comments (4)
  1. Mike Crowley says:

    EOP has had backscatter protection for a while (protectioncontent filteradvancedNDR backscatter). Why is this new feature necessary?

  2. tzink says:

    @Mike Crowley: Backscatter protection sends backscatter into your junk folder. But a backscatter storm – say 25,000 messages – would flood your junk folder or quarantine and make it harder to search. This feature prevents it from being flooded.

  3. Mike Crowley says:

    Thanks for your reply Terry! I thought hits on the lower list of advanced options triggered the high-confidence spam action (for example, the one on SPF failures does). Is this new feature to protect customers who have the high-confidence spam action set to "junk email folder"? Is the guidance to enable both settings, once available?

  4. Terry Zink says:

    @Mike Crowley: It does help customers who have set it to "junk email folder" but it also helps customers who have spam quarantine since there are some users who look for email in their quarantine, and 25,000 messages makes it hard to search.

    You don't need to enable this setting. The guidance in the blog post is the same: if you send outbound email through EOP, turn the setting on. If you're a hosted customer, no action is needed.

Comments are closed.

Skip to main content