Messaging Gateway

We are being spoofed from the outside a lot lately, we are receiving a lot of bounce-back messages, NDRs, undeliverables (whatever you want to call them), however these messages are not appearing in the audit log, and are not being blocked by the rules we created to quarantine them with.  Is there any way to quarantine these messages, it appears that the Symantec Mail Security Appliances allow the Undeliverables through without any scanning (Compliance/Spam).

Hello,

 

The point you made that concerns me is that you are saying they are not showing up in the Audit logs. All messages should show here as long as you have the Audit logs enabled. Are you seeing other messages in these logs? If so, is there any way around the appliance such as a secondary MX record? Many times spammers will directly target these in order to bypass filtering.

 

Also it sounds like you are seeing NDR "Backscatter". These are fairly widespread right now. Symantec is looking into better ways of filtering these types of attacks so you should continue to see this improve.

 

Again, we should not allow these to go unfiltered or at least not unreported. Please verify these couple things and let me know.

 

Thanks!

I opened a ticket today with Symantec, it was an odd issue that was occuring, it is still occuring but I have created a rule to stop the end users mailboxes from being flooded with NDRs.

 

Basically our email addresses were being spoofed on the outside to send spam, however the recipient address was the same address as the senders.  The spoofed message was classified as spam, so the appliance sent an NDR to the sender (which was the same address) and ultimately the NDR was still delivered it to our local domain.

 

This is why we did not see any traces in the audit log for these messages, because it was the appliance which generated the NDRs.

 

I believe this is a concern, but the appliance is working as designed, from a process perspective.  It is concerning to us though.