[Mimedefang] Re: common practice

Matthew.van.Eerde at hbinc.com Matthew.van.Eerde at hbinc.com
Fri Dec 5 14:55:08 EST 2003 

There's a subtle distinction here.  Undeliverable reports are commonly
generated two very different ways:

1) The receiving agent (mimedefang server) accepts the mail, then tries to
forward to the internal mail host (Exchange server).  The Exchange server
accepts the mail, then realizes - oops - there is no such user at this
address!  The Exchange server then creates a brand new email to the effect
that the previous email was undeliverable, and tries to send *that*.

2) The receiving agent (mimedefang server) rejects the mail as
undeliverable.  What happens next is completely dependent on the sending
agent!
2a) In the case of legitimate email, the sending agent will probably
generate a bounce message to the sender.
2b) In the case of spam, it all depends.
2b1) the spammer *could* generate a bounce message.  As the sending email
address is probably forged, the spammer will just be sending his spam, in
disguised form, to the faked sender.  Sometimes the sender is the same as
the recipient - in that case, the spammer will reconnect to the mimedefang
server with a subtly different email, probably to be rejected again.  This
can easily generate an infinite loop, which is bad for both the spammer and
the mimedefang server.
2b2) The spammer will more likely simply increment an "undeliverable"
counter in his database next to the recipient email address, and next time
around not bother to send to that email address.

By far the best possible option is 2).  It follows from the good general
rule, reject as early as you can with as much specificity as you can.

> * Kelson Vibber <kelson at speed.net>
> > If you want to block all of them on the same criteria, I recommend
> > just using action_bounce. This will send an SMTP reject code, so you
> > don't have to worry about generating bounce messages to 
> possibly fake
> > senders - *and* if it's a false positive, the sender knows his mail
> > didn't go through.
> 
> No, the forged sender will usually receive some form of 
> delivery status
> notification message from the mail server you issue the action_bounce
> to.

More information about the MIMEDefang mailing list