background

Bounce spam protection (DSNs/NDRs)

"Bounce spam" can be an annoying problem. The email SMTP protocol is a very simple protocol that was defined in 1982. Spam was not yet a problem and to keep things as simple as possible, no security measures were implemented in the protocol itself. The result of this is that there is no verification whatsoever that the "From:" address in an email message actually belongs to the sender.

To try and avoid spamfilters, spammers will typically use random email addresses as fake senders. This way they can avoid any simple spamfilter that blacklists based on the sender email address. It is important however that the email address they use as a sender does exist, since spamfilters can apply a "sender verification check" to ensure that the sending address itself exists.

SpamExperts applies advanced methods to identify and block "bounce-spam".

What causes Bounce

Properly set up mail servers will not cause bounce spam and directly reject the message with a 5xx error code when the spammer tries to deliver it. Unfortunately there are many legitimate mail servers that are incorrectly set up. The spammer tries to deliver a spam message with your email address in the from to an unknown address, the bad mail server accepts the messages for delivery, it then finds out that the destination user does not exist, and it will send a bounce email to your email address because it (wrongly!) believes you are the originating sender. Because these bounces do not come from spamming servers, but from legitimate servers, they are very hard to block by any spam filters.

Catchall domains

If you have configured your email system to accept all email sent to any address @example.com, this is called a "catchall domain". The main advantage for you is that you won't have to create a separate mailbox for each address that should work.
Be Advised: The problem however is that if spammers detect that your mail server claims to accept email for any address, they can easily generate random email address and end with @example.com (your domain name) to generate millions of different "valid" email addresses! It's therefore highly recommended to disable the email catchall to avoid spammers from abusing your domain and also generate fake senders for their spam messages.

SPF / DKIM

By setting a SPF record for your domain, you reduce the attractiveness for spammers to use your domain for sending out email. Also signing your emails with a DKIM certificate should further reduce the attractiveness to spoof your domain name for outgoing spam.

BATV signing

A special "trick" to avoid bounce spam is to sign every outgoing email with a special Bounce Address Tag Validation.  This adds a cryptographic token to the address used for receiving any bounce, which means that it's possible to know for sure whether a bounce is in response to a message that you sent.

To effectively use BATV, you need to be using both the incoming and outgoing email products, and you must send all your outgoing mail using the outgoing filter. When you send messages, the bounce address is signed, and when you receive bounces, any message that does not have a correct signature will be rejected.

Note that if you enforce BATV for incoming messages, and you are not using the outgoing filter to sign your bounce address, then all incoming bounces will be rejected, including legitimate ones. If you enable BATV for outgoing messages, and you are not using the incoming filter to enforce BATV, then you will gain no advantage, and may have trouble receiving legitimate bounces at the destination server that handles your incoming mail.

By setting a SPF record for your domain, you reduce the attractiveness for spammers to use your domain for sending out email. Also signing your emails with a DKIM certificate should further reduce the attractiveness to spoof your domain name for outgoing spam.


Was this article helpful?

Related articles

Search result for :