preventing backscatter at the source

[Mark Nienberg]

Steve Freegard wrote:

> 1)  Reject unknown recipients at the SMTP level

OK, sendmail does this by default.  I was worried that my MailScanner/sendmail server 
generated bounce messages for unknown users, but now I see that sendmail simply 
rejects the message during the SMTP session, so there is no problem here.


> 2)  Don't run a secondary MX unless it is configured to reject exactly 
> as the primary.
> A secondary MX delivering to the primary MX which does an SMTP rejection 
> will cause the secondary MX to 'bounce' the message which is backscatter.

Uh oh, this is a bit harder.  I have my ISP functioning as my secondary MX, so it 
really isn't under my control.  I guess I could ask them if they use milter-ahead or 
some other method.


> 3)  Don't do any form of Challenge/Response, don't allow Out-of-Office 
> replies to the internet or run any form of e-mail auto-responder.
> As these will all respond to the sender which could be forged. These 
> would be acceptable if SPF=PASS or with a valid DKIM/DK signature or 
> sent from an IP with fcRDNS or an MX from the same domain as the from 
> address (e.g. spf-best-guess='v=spf1 a ptr mx').

I caved to popular demand (and PHB) and set up Out-of-office for my users, but I 
discourage its use and I tried pretty hard to avoid the common pitfalls.  It will not 
respond if SPF_FAIL or SPF_SOFTFAIL triggered on the incoming message, but I have not 
gone the extra step of requiring SPF_PASS due the somewhat limited penetration of 
SPF. Maybe I should start experimenting with the DKIM plugin.  I haven't tried that yet.

> 4)  Only send MailScanner notices to the recipient and not the sender.

I think I am notifying senders of blocked filenames and filetypes and password 
protected zip files.  Maybe this is a throwback to more innocent times.  Should I 
turn these off and never ever notify a sender?

Thanks for the info!

Mark Nienberg