Why you should reject mail to nonexistent users
This story tells of how spammers deliberately use the mailservers of big companies to serve their e-mails:
Joe-job spammers shift tactics to evade filters | The Register
The thing is, that wouldn’t be possible if the big company’s e-mail server would reject e-mails instead of bouncing them…
May 27th, 2006 at 6:00 pm
Remember that there are legitimate emails that are for whatever reason undeliverable (mistyped username, sent to a person who has left,…). These should be bounced so the sender is aware that the email has not been delivered.
I agree that spam should be rejected and not bounced, but then the companies need to be able to accurately distinguish between spam and legitimate emails. If they accidentally rejected a legitimate email as spam, so the sender wasn’t aware, it could have major repurcussions for the company.
I’m a former Blue Security member who receives a gazillion joe-job bounces, and I’d much prefer that the companies that bounce them to me, would instead detect them as spam and reject them. But unfortunately, it’s better to bounce all than accidentally reject one legitimate email.
BTW, am enjoying your postings…
May 28th, 2006 at 1:36 am
To Karlston,
Let’s say you sent an e-mail to a mistyped address. If the company rejects e-mail to nonexistent users, you’d get an immediate bounce from your own mailserver. If they bounce mail to nonexistent users, you’d get a bounce from their mailserver, but it would come a little later than if they rejected mail.
So your premise is flawed. You think rejecting means dropping on the floor. That’s not what this is about. Suppressing bounces means dropping on the floor, rejecting does not.
That’s exactly why I say they should reject mail to nonexistent users. Actually, some mail servers will reject mail they think are spammy as well, and the senders will get immediate notification.
May 28th, 2006 at 1:45 am
This tactic is nothing new but will possibly be used more and more. Few companies will fix their mailserver before there server is used by the spammers.
Large companies often has external mailserver relaying the mail to an internal Exchange enviroment and the external servers does not know what internal users exist or not.
The fix is not easy on Exchange 2000 servers since it accepts all mail and later sends a Non Delivery Report for none existing users. Fronting the Exchange server with a Postfix server and exporting all users to that server is one solution, see http://www-personal.umich.edu/~malth/gaptuning/postfix/ for a way to export the users.
On Exchange 2003 there is an option for rejecting mail to nonexistent users, enable “Filter recipients who are not in the Directory” in the Recipient Filtering tab of the Message Delivery object.
May 28th, 2006 at 1:50 am
“companies are already starting to turn off their bounce back messages” is a very bad solution.
Dropping the messages means that people who spells an address wrong will not get a message that the message never was delivered.
If a correct reject “unkown user” message is sent directly at delivery time it is up to the sending MTA to deliver this notice back to the sender.
May 29th, 2006 at 7:34 am
jn, postfix has an option that makes possible to check whether the recipient on external (I mean external != localhost) mailserver is valid or not. There is no need to import the list of valid users from Exchange.
So it is possible without much work to replace bounces with rejects. Unfortunalelly many postmasters do not know much about their systems, and do horrible things. The setup that was good ten years ago is currently not accptable.
May 30th, 2006 at 11:38 pm
Fuck you
June 7th, 2006 at 1:48 pm
Why not modify bounce messages. Say this address dose not exist but don’t copy the message in the bounce, so spammers can’t bounce adverts?
June 7th, 2006 at 3:21 pm
@Tortanick: Currently I’m dealing with 6000 hosts just trying to deliver me bounces for a messages that I have never send (joe-job). Do YOU want me to redirect this traffic to you?
June 13th, 2006 at 4:57 pm
This is OLD news as I’ve been fighting this for a couple of years now and it got so bad that one server ground to a halt doing nothing but processing bounce mail all day long so we killed all outbound mail queues, too much junk to deal with [thousands] to worry about a handful of real emails, and then set REJECT server-wide for undeliverables.
Problem went away and never came back.
I noticed a few weeks back I a had a few new domains on a new server setup wrong and there was about 150 outbound emails always pending for domains that never use wmail. I posted about setting them all to reject and the problem vanished as expected.
July 5th, 2006 at 4:23 pm
Yet another argument to issue SMTP reject errors instead of accepting then generating bounces: it’s a helluva lot cheaper. Your mail server just has to return 1 line of text in the reject case, whereas in the accept then bounce case they have to
- generate the bounce,
- queue it,
- look up the bounce address domain’s MX,
- try connecting to it (many won’t be valid, thus, this steap is painful),
- and transmit the bounce.
November 12th, 2006 at 9:58 am
This is all nice and sound, and i’m all for it, except for one thing:
Do we really want spammers to instantly get hold of a very easy way
to map out (i.e. validate) our domains? Do we want them to be able to
gather the list of all our real recipients? After all, we always cut VRFY out of our smtp server.
Oh, and also please don’t tell me about typos in email addresses, if they aren’t even able to write down the correct string, or use a real email client (they have incredibly simple to use address books and stuff) to send messages, then they surely don’t deserve a bounce from me.
Where do all these lead to? The perfect solution: accept all mail for our domains, deliver it if it’s for valid recipients and do NOT bounce anything for unknown users. What’s so hard? I fail to understand why this policy isn’t easier (or even possible at all in some cases) to enforce on modern MTAs.
And if you begin the usual reasonings about wasted bandwidth for instance, what’s stopping us from dropping the DATA stream after a few kb when the recipient is not valid, and then if the spammer tries again, pretend we only accept 10kBs messages. Some intelligence in the MTA is not going to kill anybody… And, finally, RFCs were good years ago, now they must be tweaked a bit, as the environment changed.
November 12th, 2006 at 2:44 pm
@007, spammers doesn’t care about whether an email is valid or not. I see in my log files that zombies are trying to deliver spam to recipient that does not exist for more than 2 years (550 User unknown). And many other “receipients” that never were valid.
I have just finished a test - I have removed MX and A records for one of my domains - for 2 months. Now I have reestablished these records - and after 1/2h I have noticed first attempt to deliver a spam.
Spammers - they do care about the size of their databases -> “hey look, I have 1M records more than you”