NDR storm between members of a distribution list in Exchange 2010/2007.

  • Article

I recently came across a very interesting issue that is affecting Exchange 2007 all versions but also Exchange 2010 all versions as well. We have the following scenario: a distribution list that has external contacts, we have set the option on the distribution list “Send delivery reports to message originator”, external contact has an issue with his email address and let’s assume an NDR is generated. An external user Dan sends an email to this distribution list and the NDR generated by the email address of the external contact John is sent to the whole distribution list and not only to Dan who initially sent the mail.

Why is that? The answer is quite straight forward. The Exchange server puts the email address of the distribution list in the return-path attribute of the message sent from the external contact.

Why does Exchange put the email of the distribution list in the return-path of the message? Well that’s another story.

It all started when send ID was implemented in Exchange 2007.As per RFC 4408 chapter 9.2. : “Mailing lists MUST comply with the requirements in [RFC2821], Section 3.10, and [RFC1123], Section 5.3.6, that say that the reverse-path MUST be changed to be the mailbox of a person or other entity who administers the list.” It is also stated that “Such lists that are entirely internal to a domain (only people in the domain can send to or receive from the list) are not affected.”

Here is an example to make things clearer:

We have a distribution list in the domain tailspintoys.com. This distribution list has the option set to “Send delivery reports to message originator”. We also have in this distribution list an external contact john@fourthcoffee.com. An external user dan@contoso.com sends an email to the distribution list that is in the tailspintoys.com domain. The Exchange server forwards the mail from Dan to all the recipients in the list and for the external contacts it puts the return-path with the tailspintoys.com domain. If Exchange would not do this modification, we would have in the return-path dan@contoso.com . The receiving mail server of the fourthcoffe.com domain would receive a mail from the contoso.com domain that was actually sent by the tailspintoys.com domain. We assume that the Exchange server is only authoritative only for its own domain, tailspintoys.com. In this case the mail will be rejected as it appears to be sent from the contoso.com domain but in fact it’s delivered by a server that is not authoritative for the domain.

The bad news is that this behavior will not be modified as we want to be compliant with RFC4408 concerning sender ID.

The good news is that we have a workaround. In order to not have the distribution lists address in the return-path you should set the option “Send delivery reports to group manager”. By choosing this option the email address of the manager of the distribution list will be in the return-path. To not send delivery reports to the distribution list manager changes the distribution list from a “list” to an “alias” as per [RFC1123] and [RFC2822].