preventing backscatter at the source

Steve Freegard steve.freegard at fsl.com
Sat Mar 29 01:18:12 GMT 2008


Mark Nienberg wrote:
>> 3)  Don't do any form of Challenge/Response, don't allow Out-of-Office 
>> replies to the internet or run any form of e-mail auto-responder.
>> As these will all respond to the sender which could be forged. These 
>> would be acceptable if SPF=PASS or with a valid DKIM/DK signature or 
>> sent from an IP with fcRDNS or an MX from the same domain as the from 
>> address (e.g. spf-best-guess='v=spf1 a ptr mx').
> 
> I caved to popular demand (and PHB) and set up Out-of-office for my 
> users, but I discourage its use and I tried pretty hard to avoid the 
> common pitfalls.  It will not respond if SPF_FAIL or SPF_SOFTFAIL 
> triggered on the incoming message, but I have not gone the extra step of 
> requiring SPF_PASS due the somewhat limited penetration of SPF. Maybe I 
> should start experimenting with the DKIM plugin.  I haven't tried that yet.

Most admins face the same problem with out-of-office replies and you're 
doing more than most with regards to preventing backscatter for those 
that have configured their domains well (e.g. with SPF or sensible DNS).

>> 4)  Only send MailScanner notices to the recipient and not the sender.
> 
> I think I am notifying senders of blocked filenames and filetypes and 
> password protected zip files.  Maybe this is a throwback to more 
> innocent times.  Should I turn these off and never ever notify a sender?

Up to you - I would personally only notify the recipient as they can 
contact the sender manually if they actually need the file, it really 
depends on your policies.

Cheers,
Steve.


More information about the MailScanner mailing list