Preventing backscatter with sendmail

Steve Freegard steve.freegard at
Wed Jan 21 19:02:38 GMT 2009

Kai Schaetzl wrote:
> Steve Freegard wrote on Wed, 21 Jan 2009 15:04:59 +0000:
>>> I haven't followed this thread much, but would this work alongside or
>>> instead of something like milter-null?
>> It would work alongside milter-null, scam-backscatter is simply a
>> recipient call-ahead milter.
> e.g. it is meant to prevent *yourself* from creating backscatter not from 
> incoming backscatter. I think the name of this milter is rather confusing.

Yes - I agree.

I also suspect that due to the name - people will think of this milter
as some sort of 'silver-bullet' to prevent backscatter emanating from
their host which would be a bad assumption.

Rejecting invalid recipients on a gateway machine is a good start; but
the administrator has to actually make sure the back-end hosts that
actually receive the call-aheads isn't accept-then-bounce (e.g. it
accepts all the recipients and the entire message then sends a DSN after
the message has been accepted - *cough*Exchange 5.5*cough*) as in this
case this milter would be no help; in fact it would actually reduce the
efficiency of the gateway as it would carry on doing call-aheads even if
the back-end doesn't reject invalid recipients based upon the
documentation (see milter-aheads 'is-blind-mx' tests for an example of
how to do this right).

Many domains mail servers do not reject invalid recipients correctly:

[root at mail ~]# ./
Found 382 domains; pass=4 (1.05%), fail=378 (98.95%)

pass = servers that reject invalid recipients
fail = servers that accept all recipients

Note that the 'fail' statistics could also count domains with
'catch-all' accounts.


More information about the MailScanner mailing list