[nSLUG] Whither to bounce unknown recipient address?

Ian Campbell ian at slu.ms
Thu Aug 30 13:38:12 ADT 2007


On Thu, Aug 30, 2007 at 01:16:15PM -0300, D G Teed wrote:
> I read the postfix backscatter readme today.
> 
> http://www.postfix.org/BACKSCATTER_README.html
> 
> Up until now it seemed like a good idea to always bounce
> undeliverable email, so people can realize their typos.
> But this seems to be a spammer technique to deliver
> via forged from addresses.
> 
> I'll have to convince people setting
> 
>    unknown_local_recipient_reject_code = 550
> 
> in postfix is a good idea.
> 
> How many of you use this (or similar) in your MX server?

I do.

The bigger problem is spam/virus scanning. With Postfix, you get the
option of before-queue or after-queue content filtering. Before-queue
lets you bounce spam/virus emails properly (... hopefully WITHOUT the
virus, man I hate those virus gateways that bounce with
attachments...) during the SMTP transaction. That only works for
relatively low-traffic sites though, otherwise you get a pretty
significant bottleneck.

After-queue filtering is better from a reliability perspective, except
that it means you can't bounce the emails, since there's no good way
to send a bounce... which leaves you with dropping it silently or
quarantining it.

As Dop pointed out, it's easier to do as much filtering as you can up
front, bonus points if it's 'cheap' filtering. Sender verification is
a good start. Checking SPF/DKIM is a good idea too.

Depending on how comfortable you are with it, RBLs and RFC strictness
are also a good idea. Personally, I don't really trust most RBLs, but
they're right enough that I want to use them... so anything that gets
a hit in an RBL I greylist.

I do other simple checks as well. I reject anyone pretending to be my
server. I reject servers that send broken HELO/EHLOs, domains it
doesn't know about, domains that don't exist.

I run body checks that block emails with executable attachments. I
greylist anything that looks like a dynamic ip (four or more .s or -s
in the hostname, or anything that matches an ugly, ugly regex) or
anything that doesn't resolve.

Anything that makes it through that goes to regular filtering.

... and it seems to work pretty well so far.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20070830/f02dc25d/attachment-0002.pgp>


More information about the nSLUG mailing list