Hello all,
It looks like there is a flaw by design in Exchange 2013 recipient validation, which in turn causes backscatter issues. I failed to find a way around it, maybe someone could help.
The Design: 2 x Exchange 2013 CAS servers (hardware NLB) + 2 Exchange 2013 Mailbox servers (DAG).
Verson: Exchange Server 2013 Cumulative Update 3 (CU3) (Version15.0 (Build 775.38) )
The issue:
Recipient validation has a flaw, which is documented (probably that should make it a "feature", but it doesn't):
In short - Recipient validation on Mailbox servers blocks message to all recipients, if at least one of them is non-existant.
http://social.technet.microsoft.com/Forums/office/en-US/12181f43-7173-44dd-998a-9307f92ffc5d/exchange-2013-casmbx-recipient-validation-rejects-entire-message-if-any-of-recipients-are-invalid
As there is no way to explain the logic of blocking e-mails to valid recipients if at least one of them is invalid to a customer, the Recipient validation on Mailbox servers becomes unusable and is disabled.
But if the recipient validation is disabled, the Exchange design without Edge servers or other perimeter SMTP servers that could block e-mails to non-existant recipients, becomes vulnarable to backscatter SPAM attacks, since Exchange will always send out NDR to the FROM address.
According to the answer in the thread mentioned above, other antispam features should prevent it, but as always with antispam - it's not even close to 100% effective, as recipient validation would be. The result - an entry in backscatterer.org.
Question:How to provent backscatter in Exchange 2013 without Edge servers, and without loosing valid e-mails due to recipient validation bug ("feature")?
Thank You for Your help.
Sincerely,
Vince