[Exim] Departed users, forwarding addresses and collateral s…

Top Page
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Exim users list
New-Topics: Re: [Exim] Departed users, forwarding addresses and collateral spam
Subject: [Exim] Departed users, forwarding addresses and collateral spam
I'm using the term "collateral spam" in the sense of
http://www.ja.net/mail/junk/collateral.html - specifically,
bounces which relate to mail that faked its sender address.

The situation often arises that the addresses of departed users (at,
say, site "A") are still recognised by the mailer at site A, as a
courtesy to the departed user and their correspondents, but are simply
forwarded to the user's new address at, say, site "B".

When this user's *old* address is faked as the sender of a spam, and
bounced by some third-party site, the bounce goes to site "A", which
then typically forwards it to site B. Well, in fact we're just
getting one case where the address at site A gets faked as sender, the
bounce goes to site A, which accepts it and forwards it to site B, but
the user has now moved to site C (which is us), and so site B then
sends it to us.

This all adds to the world supply of nuisance traffic, unfortunately;
particularly as some of these old addresses seem to have got widely
known and so we find them being frequently used as the fake sender
addresses of spam - and indeed also of viruses (or rather, of the
virus shrapnel that gets left after misguided antivirus filters are
done with them, since a bounce with a live virus in it would normally
be rejected on that basis - actually, I'm coming to the view that spam
and anti-virus shrapnel can be treated as substantially equivalent.)

The converse scenario would happen of course when we are in the role
of "site A", and forwarding collateral bounces to one of our departed
users. Unless of course the item fell foul of one or other of our
anti-spam measures.

I'd like to raise the idea that, where such forwarded addresses no
longer ever send mail, it would be good practice for mailers to only
accept actual mail items, i.e items with a non-null envelope sender,
when they are addressed to one of these old addresses; and should
reject anything with a null envelope sender, on the grounds that there
can be no valid delivery status notifications in relation to an
address which no longer ever sends mail.

Is this a generally good idea? Have others tried it, or something
similar? Are there some knock-on effects which I'm missing?

(This would also have the side benefit that anyone who was trying a
normal exim "callback" to see whether the old address as alleged
envelope sender on some spam was valid would get told that it was not,
and thus could reject the item at source, even though an actual mail
item for the old address would still be accepted and forwarded. If
you see what I mean.)

Naturally, when the forwarding addresses have outlived their
usefulness they get deleted. But it seems only fair to the users to
maintain a reasonable transition period. And it's during that period
that the kind of trouble discussed above is occurring. I'm thinking
not only that it would be good practice for us to adopt such a policy,
but also there might be an FAQ somewhere which suggested it as
good-practice to those other sites which are currently forwarding this
kind of collateral bounce traffic to us.

best regards