preventing backscatter at the source

[Steve Freegard]

Mark Nienberg wrote:
>> 3)  Don't do any form of Challenge/Response, don't allow Out-of-Office 
>> replies to the internet or run any form of e-mail auto-responder.
>> As these will all respond to the sender which could be forged. These 
>> would be acceptable if SPF=PASS or with a valid DKIM/DK signature or 
>> sent from an IP with fcRDNS or an MX from the same domain as the from 
>> address (e.g. spf-best-guess='v=spf1 a ptr mx').
> 
> I caved to popular demand (and PHB) and set up Out-of-office for my 
> users, but I discourage its use and I tried pretty hard to avoid the 
> common pitfalls.  It will not respond if SPF_FAIL or SPF_SOFTFAIL 
> triggered on the incoming message, but I have not gone the extra step of 
> requiring SPF_PASS due the somewhat limited penetration of SPF. Maybe I 
> should start experimenting with the DKIM plugin.  I haven't tried that yet.

Most admins face the same problem with out-of-office replies and you're 
doing more than most with regards to preventing backscatter for those 
that have configured their domains well (e.g. with SPF or sensible DNS).

>> 4)  Only send MailScanner notices to the recipient and not the sender.
> 
> I think I am notifying senders of blocked filenames and filetypes and 
> password protected zip files.  Maybe this is a throwback to more 
> innocent times.  Should I turn these off and never ever notify a sender?

Up to you - I would personally only notify the recipient as they can 
contact the sender manually if they actually need the file, it really 
depends on your policies.

Cheers,
Steve.