Awesome Conferences

Fighting Spam Backscatter

Short version: My mailing list server no longer generates bounce messages for unknown accounts, thus eliminating the email backscatter is generates.

Longer version:

I have a host set up exclusively for running mailing lists using Mailman and battling spam has been quite a burden. I finally 'gave up' and made all the lists "member's only". Luckily that is possible with the email lists being run there. If I had any open mailing lists, I wouldn't have been so lucky. The result of this change was that it eliminated all spam and I was able to disable SpamAssassin and other measures put in place. SpamAssassin has been using more and more CPU time and was letting more and more spam through.

That was a few years ago.

However then the problem became Spam Backscatter. Spammers were sending to nearly every possible username in hopes of getting through. Each of these attempts resulted in a bounce message being sent to the (forged) email address the attempt claimed to come from. It got to the point where 99% of the email traffic on the machine were these bounces. The host was occasionally being blocked as punishment for generating so many bounces. Zero of these bounces were "real"... i.e. the bounce was going to an address that didn't actually send the original message and didn't care about the contents of the bounce message.

These unwanted bounce messages are called "Spam Backscatter".

My outgoing mail queue was literally filled with these bounce messages, being re-tried for weeks until Postfix would give up. I changed Postfix to delete them after a shorter amount of time, but the queue was still getting huge.

This weekend I updated the system's configuration so that it just plain doesn't generate bounces to unknown addresses on the machine. While this is something you absolutely shouldn't do for a general purpose email server (people mistyping the addresses of your users would get very confused) doing this on a highly specialized machine makes sense.

I can now proudly say that for the last 48 hours the configuration has worked well. The machine is no longer a source of backscatter pollution on the internet. The mail queue is empty. It's a shame my other mail servers can't benefit from this technique.

No TrackBacks

TrackBack URL: https://everythingsysadmin.com/cgi-bin/mt-tb.cgi/1867

2 Comments | Leave a comment

Never generate a bounce, but feel free to reject 4xx or 5xx at SMTP time. That's how you deal with email to non-existent addresses. You send mail to a wrong address
then "550 5.1.1 : Recipient address rejected: User unknown" is a perfectly valid response.

In this case you're not sending back scatter; you're refusing the email. (Bad mail relay's may backscatter, but that's their problem, not yours).

You need to teach your gateways about every valid address (I have a script that does this; I should convert it to ansible), but this is better that just /dev/null'ing bad email.

Exactly what he said. General practice for the past few years has moved ever more to rejecting emails while on the line w/ the sender, and trying very hard to avoid sending bounces for unknown addresses, and the like.

Leave a comment

Credits