preventing backscatter at the source

[Steve Freegard]

Hi Mark,

Mark Nienberg wrote:
> The solutions discussed in the "backscatter problem" thread are all 
> about preventing delivery of backscatter to our users.  Does anyone have 
> information on preventing my mail server from generating backscatter in 
> the first place?  I'd like to avoid sending bounce messages to innocent 
> victims of address spoofing.

Preventing backscatter from your own servers is easy and the 
rule-of-thumb is "don't accept anything at the SMTP level that you are 
going to 'bounce' later", off the top of my head - here's a list of the 
common causes that I can think of:

1)  Reject unknown recipients at the SMTP level

This will prevent the majority of backscatter and reduce the load on 
MailScanner significantly (usually between 20-60% in my experience).

2)  Don't run a secondary MX unless it is configured to reject exactly 
as the primary.

A secondary MX delivering to the primary MX which does an SMTP rejection 
will cause the secondary MX to 'bounce' the message which is backscatter.

3)  Don't do any form of Challenge/Response, don't allow Out-of-Office 
replies to the internet or run any form of e-mail auto-responder.

As these will all respond to the sender which could be forged. These 
would be acceptable if SPF=PASS or with a valid DKIM/DK signature or 
sent from an IP with fcRDNS or an MX from the same domain as the from 
address (e.g. spf-best-guess='v=spf1 a ptr mx').

4)  Only send MailScanner notices to the recipient and not the sender.

If we can get a good list together, this is definitely worth adding to 
the Wiki.

Cheers,
Steve.