Overview
Your users are receiving a large number of NDR spam messages. These appear as email bounce backs for messages they never sent.
Solution
To fix the issue, please follow the steps mentioned below:
- Open the GFI MailEssentials Configuration UI
- Navigate to Content Filtering > Advanced Content Filtering
- Create a new rule:
- Give it a descriptive name (such as NDR Spam)
- Choose Header and Contains as the condition
- Enter Return-Path: <> as the value for the rule
- Apply the rule for Inbound, Outbound, and Internal
- Configure the spam action in the Actions tab as desired
- Apply the changes
- Ensure that the rule is enabled, by checking the box next to the rule you created and click Enabled selected.
NoteSince most legitimate emails have a valid return path, this should prevent the recurrence of such directory harvesting attacks.
- Repeat the above steps and create another rule by using "R e t u r n - P a t h : < >" as the value
(Note that this rule has spaces between the characters)NoteIt has been observed that sometimes spammers use this technique to circumvent filters. It is recommended to implement this content filtering rule as well, to ensure optimal protection
You can enable Directory Harvesting for additional protection:
- Navigate to Anti-Spam > Anti-Spam Filters > Directory Harvesting.
- Select the Enable directory harvesting protection checkbox.
- Change the configured value for Block if non-existent recipients equal or exceed from 2 to 1.
- (Optional) Configure Directory Harvesting to operate at the SMTP level:
- Navigate to Anti-Spam > Filter Priority.
- Open the SMTP Transmission Filtering tab.
- Locate Directory Harvesting.
- Click on the Switch button so that it reads "Filtering during SMTP transmission".
- Click Apply to save settings.
NoteIf the Directory Harvesting filter is operating in Full Email mode, please check the spam actions under the Actions tab in the Directory Harvesting filter, since the default spam action for the filter is to deliver the email to users' inbox.
- Make sure that the Microsoft Exchange Recipient Filtering is disabled.
Testing
After applying the steps above, your users should not receive any more NDR spam.