On Wed, 2009-02-11 at 19:29 +0000, Ned Slider wrote: > Martin Gregorie wrote: > > > This backscatter is precisely what SPF records are meant to alleviate. > > You should have a valid SPF message set up for every registered domain > > handled by your mail servers. > > > > How so? > > The backscatter he is receiving is most likely DSN messages sent from > mail servers in response to his (forged) sender address. > Yes, of course. My understanding is that SPF lets the receiving MTA determine whether the sender's domain was forged. If it is there's no point in sending a bounce message for undeliverable mail. So, SPF-aware MTAs will silently discard undeliverable mail which has a forged sender.
I was getting flooded with backscatter until I set up an SPF record for my domain, at which point it stopped coming and I haven't been bothered since. Was that coincidence or SPF doing its stuff? I don't much believe in coincidence except for random & rare events. > SPF will only help if other people's mail servers deploy and bounce > mail on failed SPF, but as I asserted in an earlier post to this > thread, how much faith do you place in a mail admin deploying SPF > _AND_ bouncing messages on SPF failure when they can't even address > the issue that their servers are responsible for the backscatter > problem by accepting mail for non-existent addresses and then sending > DSNs to a forged address. > AFAIK a lot of current MTA versions will use SPF checks out of the box. This means that even a numpty-administered MTA will do SPF checks before sending rejections. That certainly seems to be the case for Postfix: its manual says its default is to silently drop backscatter for unknown local users and I haven't seen any of that or any for valid users for a very long time. Martin
