This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Appliance Blocking Legitimate NDR's and Out of Office Messages

We are having an issue with legitimate NDR's and Out of Office messages being quarantined as spam. When I look at the reason it is almost always our "Bounce Messages" rule. i don't want to shut this rule off because backscatter spam has been a big problem for us. I have a support ticket open but it seems to have gone into the "Sophos Labs" black hole. 

Any ideas for ensuring legitimate NDR's and Out of Office messages are delivered?



This thread was automatically locked due to age.
  • It may be that the domain sending the NDRs is not using the BATV tag correctly. If you check the headers of one of those quarantined email messages the recipient should have a prvs= with a code. Otherwise the appliance will not recognize that message as a legitimate returning bounce.
  • I don't see prvs= in the header but I'm not positive I'm looking in the right place. I should also note that this issue isn't limited to a single recipient. It is happening for multiple senders and recipients.
  • On your Bounce Messages policy -> Under Rule Config -> can you tell me if you have both options checked/enabled? (Enabled Bounce Address Tag Verification (BATV) & Treat all auto-responders identified by SophosLabs as bounces)
  • Yes, both options are enabled. I considered disabling the "Treat all auto-responders identified by SophosLabs as bounces" but I was reluctant to do so without having a good understanding of what this setting will change.

    Before we created this rule we were inundated with backscatter spam. Preventing the backscatter is more of a priority than the inconvenience of not receiving legitimate bounces but I'm hoping we can do both.
  • Hi Blue-Canuck, Any thoughts regarding my Bounce Messages policy? My support ticket concluded "The Labs' observation regarding the OOO mails were that they shows no signs of SPAM."

    If they showed no signs of SPAM I'm a little confused as to why the messages were quarantined.
  • Besides the Bounce Message policy, do you have other policies for Outbound email?

    Are you seeing your NDR and out of office emails going through your email appliance (from Search -> Mail Logs)?

    If yes, are the emails hitting any policies?
  • Hi astevens

    Try making a separate rule, one with the "Treat all auto-responders identified by SophosLabs as bounces" but without "Enabled Bounce Address Tag Verification (BATV)" and the other rule with the other option checked, see which option is catching the legitimate NDRs.

    You may have to exclude some sender domains from which ever rule is triggering.