We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Can I block invalid bounce or NDR messages on my Email Security Gateway? How?

  • Type: Knowledgebase
  • Date changed: 7 months ago

Solution #00003619

All Email Security Gateways, firmware versions 3.5.12 and above.

Starting with firmware versions 3.5.12, the Email Security Gateway is able to tag outgoing messages so that if they are blocked by a recipient, the corresponding bounce messages will be distinguishable from invalid bounce messages. The Email Security Gateway will then be able to allow the legitimate bounce messages and block the backscatter (for more information on backscatter, see Solution #00001720). This feature is called Invalid Bounce Suppression, and can be configured at the bottom of the Block/Accept > Sender Authentication page. Invalid Bounce Suppression is designed to reduce the number of bounce messages delivered to forged return addresses. Any bounce notice that does not include this tag will be blocked and recorded on the Basic > Message Log with a reason of Invalid Bounce.

In order to use Invalid Bounce Suppression, your Email Security Gateways must filter all of your incoming and outgoing email. You can accomplish this in one of three ways:

  • If you have just one inbound Email Security Gateway, configure Outbound Relay (for setup instructions, see Solution #00002087). Once this is enabled, the Email Security Gateway should see all mail traffic in both directions. This will allow it to tag outgoing emails and evaluate incoming bounce messages appropriately when Invalid Bounce Suppression has been enabled. Please note that this has the potential to significantly increase the load on your Email Security Gateway, and if the Email Security Gateway is already near its limit (depending on traffic volume and model number), directing new traffic through it may degrade performance. If you would like to upgrade your Email Security Gateway to take advantage of Invalid Bounce Suppression, please contact your Barracuda sales representative.
  • Use both inbound and outbound Email Security Gateways. If at least one dedicated outbound Email Security Gateway is filtering all outgoing mail (for more information on outbound Email Security Gateways, click here), it can be configured to work with inbound Email Security Gateways so bounce messages for outgoing messages will be recognized as legitimate by the incoming Email Security Gateways.
  • Configure Invalid Bounce Suppression for each of multiple clustered Email Security Gateways. If you are using only clustered inbound Email Security Gateways, you will need to configure Outbound Relay for at least one of them. If you are using a group of clustered inbound Email Security Gateways with one or more outbound Email Security Gateways, the Invalid Bounce Suppression settings must be the same for all of them.
After ensuring that your Email Security Gateway(s) will filter all of your mail traffic in both directions, follow these instructions for each Email Security Gateway to configure Invalid Bounce Suppression:
  • Navigate to the Block/Accept > Sender Authentication page of the Email Security Gateway's web interface.
  • Under the Invalid Bounce Suppression heading, set the Suppress Invalid Bounces option to Yes.
  • Enter a Bounce Suppression Shared Secret. A non-null password is required for Invalid Bounce Suppression to be active. Changing this password will cause bounce messages that were tagged with the old password to be rejected. Because of this, once it is set, changing this password is not recommended. This string should be alphanumeric, and if you are using multiple Email Security Gateways, it must be exactly the same for each Email Security Gateway. In a clustered environment, the Bounce Suppression Shared Secret will be synchronized across all Email Security Gateways in the cluster.
Additional Notes:
Email Security Gateway model 100s can be configured to use Outbound Relay (and Invalid Bounce Suppression), but in accordance with the limits of the model 100, only those users present under the Users tab will have their outgoing messages tagged (and thus be protected from invalid bounce messages).Email Security Gateway 100s cannot be used as dedicated outbound Email Security Gateways.

Link to This Page: