Backscatter Filtering In Forefront Protection 2010 For Exchange Server…

One of the filtering agents that is NOT enabled by default in Forefront Protection 2010 for Exchange Server is “Backscatter Filtering”. Backscatter is a problem that has been known exchange admins for a long time. In short, backscatter is a DSN (Delivery Status Notification) delivered to a recipient who never sent the original mail in the first place.

We can block backscatter with the new Backscatter Filtering agent in Forefront Protection 2010. In order to enable it, open the Forefront console and navigate to “Policy Management –> Antispam –> Configure”.

In the “Backscatter Filter” section, check the box “Enable Backscatter Filtering”. As it clearly says, Exchange Transport service has to be stopped and started for the changes to take effect.

We are not done yet! We need to generate a set of backscatter keys and distribute it to all servers that participate in sending/receiving inbound or outbound emails. If you have only one HUB server in your environment, click on “Generate” button and you are done.

If you have many transport servers including Edge servers, generate the key in one of the servers and export it to a specified location, copy it across to the next transport server & import it. You only click the “Generate” button ONCE in your Exchange Organization.

You should generate another set of keys, ONLY if your existing keys are compromised.

Now, how does this agent work? When emails are sent out, the agent adds a token to the P1.MailFrom Address and when it receives a DSN from internet, it checks whether the message has a token. If the DSN has a token, it checks whether it computes correctly & whether it is coming within an acceptable time after the original email has been sent. If the DSN doesn’t have a token, it blocks it.

No more confusing DSNs for the end user!