Backscatter in EOP

Applies to

• Exchange Online Protection
• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

Backscatter is non-delivery reports (also known as NDRs or bounce messages) that you receive for messages that you didn't send. Backscatter is caused by spammers forging (spoofing) the From address (also known as the 5322.From or P2 address) in their messages. Spammers will often use real email addresses as the From address to lend credibility to their messages. When spam is sent to a non-existent recipient, the destination email server is essentially tricked into returning the undeliverable message in an NDR to the forged sender in the From address.

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP makes every effort to identify and silently drop messages from dubious sources without generating an NDR. But, based on the sheer volume email flowing through the service, there's always the possibility that EOP will unintentionally send backscatter.

Backscatterer.org maintains a blocklist (also known as a DNS blocklist or DNSBL) of email servers that were responsible for sending backscatter, and EOP servers might appear on this list. But, we don't try to remove ourselves from the Backscatterer.org blocklist because (by their own admission) their list isn't a list of spammers.

Tip

The Backscatterer.org website (http://www.backscatterer.org/?target=usage) recommends using their service in Safe mode instead of Reject mode, because large email services almost always send some backscatter.