![r/sysadmin icon](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="42" height="42"><rect fill-opacity="0"/></svg>)
A reddit dedicated to the profession of Computer System Administration.
Report
We enabled our DMARC reject policy at 100% a few days ago, but now I'm finding that some spammers are using our DMARC policy against us. I think this is an RNDR style attack that's targeting us, not another org. They're crafting emails FROM UserA sending TO UserA. Message trace shows the original email fails our domains DMARC policy and is dropped, but then Exchange online generates an NDR and sends it to UserA with the failed message attached, circumventing the whole point of DMARC.
I looked into this and it looks like the EOP anti spam policy setting "backscatter" is meant to directly combat this, but after turning the setting on I'm still able to reproduce the same results. Does anyone know if this takes 24-48 hours to start working??
Outside of disabling NDR's altogether I don't really know what else to do. I don't think system generated messages pass through mail flow rules, so I can't block them there either. I tried a mail flow rule that was "if userA is sender and userA is recipient, and header properties authentication-result matches "demarc=fail action=reject" or "demarc=fail action=oreject" then silent drop and generate report to userB. This rule worked and didn't generate an NDR, and still sent a report to UserB. But if I make the rule less specific to match our entire domain it doesn't work.
Ex. "if sender matches word/phrase @maildomain1.com" AND "if recipient matches word/phrase @maildomain1.com" AND authentication-result matches "demarc=fail action=reject" or "demarc=fail action=oreject" then silent drop and generate report to userB.
Any insight is appreciated
Locked post. New comments cannot be posted.
Sort by:
Sort by
Best
Open comment sort options
![u/ciscominer avatar](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="256" height="256"><rect fill-opacity="0"/></svg>)
The only other option I can think of is switching our DMARC policy from reject to quarantine to stop DMARC fail NDR's and then using a mail flow rule to target all emails with DMARC=fail and then silent drop
Report
That would do it for now until Microsoft fixes the oversight.
Report
u/disclosure5 has some insight on this behavior.
This appears to be an issue with how O365 filters their own NDRs for DMARC rejection, and they are not subject to backscatter spam filtering oddly.
This only started occurring once Microsoft introduced the new "Honor DMARC policy" setting in anti-phishing.
Report
Well that's frustrating. I'm assuming you're referring to this change dated 7/19/23 https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-new-dmarc-policy-handling-defaults-for-enhanced-email/ba-p/3878883
I can't be the only one trying to combat this. Do you know what others have done to try and stop it? Or is there nothing we can do outside of educating users?
Report
So we're also experiencing this issue of domain spoofing where they're editing the header to reflect user A is receiving email from user A and without looking at the source you'd have no idea...
You can add SPF and DKIM records as well to your domain which helps, you can also just set an Exchange Rule (we're on prem but I'd imagine you have a similar option in 0365) where if its received with our domain name from an outside source its blocked automatically.
Good luck
Report
I added a transport rule to delete anything without notifying when an incoming email fails DMARC/DKIM/SPF from our domain.
No NDR is generated, no backscatter issues :)
Report
