A few weeks ago, we rolled out NDR backscatter protection with Boomerang for hosted mailboxes in Office 365, and that change is going live this week for customers with on-premise mail servers.
Next up is a feature that builds on top of Boomerang – NDR backscatter storm prevention.
What is an NDR backscatter storm?
Well, normally when a spammer spoofs you and sends a message elsewhere on the Internet, and that elsewhere bounces the message back to you, that’s backscatter. If a single message or two lands in your inbox, that’s annoying.
However, if a spammer spoofs you and sends 10,000 messages as you and all of them bounce back and land in your inbox, that’s not just annoying – it renders your email inbox unusable because all of the NDRs overwhelm the rest of the messages. You can’t find anything. It also slows down your mailbox because of the high volume of messages in there. It’s a situation some people within Microsoft experienced a few weeks ago.
Now that we have Boomerang protection, these types of NDR backscatter messages will get marked as spam. That helps keep your inbox clean but it fills up your junk mail folder or spam quarantine. That, too, can slow down your mailbox or make it difficult to look through for an actual message you may have missed. It’s a Denial-of-service attack on a human; a machine can handle that load of messages but a human cannot.
Where NDR backscatter storm prevention helps is that it can automatically detect if you’re getting a storm of backscatter messages within a short period of time. If so, the first 10 messages get marked as spam but the rest of the storm is deleted. It neither lands in your inbox nor your junk folder (or spam quarantine), the messages are dropped. You can tell when this happens because you’ll see a bunch of NDRs in your junk folder that are all identical. But those NDRs represent only a fraction of what would have hit you. The service has gotten in the way and prevented further delivery.
Image taken from here.
The deleted messages still show up in a message trace with the action that the service took, so you can still see what happened to them. That is, there is still visibility into these types of messages and the route after they were accepted by the service.
This scenario is definitely a corner-case. The number of people this affects is small – it’s only likely to happen with a mail bomb where someone gets mad at someone else and spoofs their email address in an attempt to DOS them with NDRs [1]. But when it happens, it’s frustrating to the person it’s happening to.
And now [2] we have protection for it.
[1] While adaptable for other cases of mail bomb campaigns, the feature right now is only addressing NDR backscatter attacks.
[2] By “now”, I mean we are in the process of rolling it out and should be available by the end of May 2015.