Weblog entry #34 for lee
See all weblog entries made by lee.
One of the primary pieces of advice given to mail administrators regarding backscatter is "reject mail during the SMTP transaction rather than accepting the mail and generating a DSN (bounce)".
It's solid advice to be sure, but it breaks down in situations when mail is accepted by one system to be forwarded on to system with a stricter criteria for message acceptance. The two main scenarios are "dumb" secondaries and primaries that rewrite certain addresses that get forwarded on to remote systems with, for example, different policies regarding spam filtering. For the purposes of backscatter these are essentially the same thing.
Both of these scenarios are quite common but, since they complicate matters, their usefulness is routinely denied by the advocates of various email spam-control schemes. Secondaries are frequently deemed unnecessary because the internet is "more reliable these days" (hah!).
"Dumb" secondaries (secondaries that accept mail without performing the same acceptance checks as primaries) are commonly found on low profile machines not specced-out for the needs of mail filtering. It's not unusual, in my experience, for two companies on different networks to reciprocally host a box installed for the purpose of secondary MX and secondary DNS. It's also common for sites to use secondaries provided by a third-party, such as their upstream network provider.
(And I'd note that there are major email providers out there generating bounce messages on their secondaries, it's not just dusty legacy setups.)
So if I'm administering a machine using a secondary out of my administrative control, I usually put in an exception in my transaction ACLs to blindly accept mails from secondaries in order to prevent them from generating DSNs (and possibly filling their queues with undeliverable bounces).
But then I'm faced with dealing with how to suppress the bogus DSNs.
My exim-fu is weak, and I don't know how to avoid generating bounces for bogus mail that has already been accepted. I'm not sure if any of the ACL rules can actually apply to internally generated DSN mail.
If there's an elegant solution, I don't know it yet.
My solution in the mean-time is just to write custom routers for common scenarios.
Using the split config, I place custom routers after the local delivery routers, but before the remote delivery routers, e.g. /etc/exim4/conf.d/router/188_local_drop_backscatter .
I then use "match" regexps against $message_body . $message_body, by default, is the first 500 bytes of the message body - this is usually enough to capture the rejection explanation at the top, but if you want to match something from the headers of the rejected mail you may need to set something like "message_body_visible = 2000" in the main section of the exim config.
In the following example, assume your server doesn't have virus scanning, but you forward mail to one that does. I've taken the decision here that a scenario in which a bounce message contains "This message contains a virus" (the rejection message from the remote site) near the top of the message body will not be delivered to the listed recipient, but will instead be dropped.
drop_backscatter_virus:
debug_print = "R: drop_backscatter_virus for $local_part@$domain"
driver = redirect
senders = :
domains = ! +local_domains : ! +relay_to_domains
data = :blackhole:
condition = "${if \
match{$message_body}{This message contains a virus} {true} \
}"
allow_defer
allow_fail
I suppose this approach can be further enhanced by customizing bounce messages to include matchable hints.
Comments on this Entry
At the moment I've resorted to turning Exim4 off, while I look for a filtering solution. I'm still picking up my gmail email so I'm not cut off from civilisation.
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
This entry is only concerned with preventing backscatter being generated on forwarders and secondaries.
In terms of dealing with receipt of backscatter bounces, I do use an Exim-based filter, but at the user level. This just splits out bounces into boxes for later processing rather than having them hit my inbox.
This takes all null-return addressed mail and filters it into one of three boxes. One for known backscatter based on the address used; one for mails that can be recognised as fairly standard bounces, and one for bounces with unrecognised properties.
Also note, this doesn't catch backscatter from domains that don't use a null return path. I recommend just blacklisting domains that send bounces in this way.
## handle bounces
if $return_path is ""
then
if $h_To: contains "address.no.mail.is.sent.from@example.com"
or $h_To: contains "other.unused.address@example.com"
then
save bounce-forged/
else
if $h_Content-Type: contains "delivery-status"
or $h_Subject: contains "failure notice"
or $h_Subject: contains "Mail delivery failed:"
or $h_Subject: contains "Mail System Error - Returned Mail"
or $h_Subject: contains "Undeliverable"
or $h_Subject: contains "Returned mail: Service unavailable"
then
save bounce/
else
save bounce-unknown/
endif
endif
finish
endif
[ Parent | Reply to this comment ]
[ Send Message | View Weblogs ]
The folks saying they are mostly worse than useless are right!
Best single change I ever made was removing all the brainless secondary servers from our email config. It only took one SQL query!
You must generate DSN or risk unreliable email. To only send DSN on non-spam you'd need a 100% reliable way to identify spam, and if you had one of those you wouldn't be asking the question would you.
Folks who silently drop email when someone mistypes an email address, should consider giving up email admin - hotmail may have an opening for folk who don't think reliable email delivery (or non-delivery) is important.
If you must have a secondary (do give us the reason for why you think you need one), things like Postfix make it relatively easy to maintain a cache of working addresses on the secondary so you can validate addresses easily. I dare say Exim can be made to do something similar, or just rsync the relevant files every 5 minutes.
The fact that lots of folk generate spurious spam bounces is no excuse, loads of folk litter public spaces, you don't have to do it.
I agree the situation with forwarding email to servers outside your control is more difficult, and my own problem since my employer hosts many websites and the email for those domain is often forwarded to the owners email address. Yes we generate too many DSN for spam, but I've worked hard to try and mitigate this, and I bet I have less spurious queued messages for several thousand domains, then any admin who runs a dumb secondary for a typical single domain.
Have you looked at the proportion of ham to spam received by secondary servers compared to the primary (assuming the primary mail server is even vaguely reliable)?
[ Parent | Reply to this comment ]