LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Qmail backscatter spam

Qmail backscatter spam

Posted Aug 31, 2006 8:18 UTC (Thu) by copsewood (subscriber, #199)
Parent article: A comparison of Mail Transfer Agents - Part One

Quote from: http://zgp.org/pipermail/linux-elitists/2005-November/011...

"I could nitpick a few things, but it's probably better to point out
qmail's biggest crime: backscatter spam. By deliberate design it will
accept all mail for its domains, doing no recipient validation in the
SMTP dialogue. Then if a user does not exist, a bounce is generated,
almost always spamming the mailbox of an innocent victim (forged
envelope sender.)"

I don't think DJB accepts this one as a security hole either. AFAIK, there
exist a growing number of sites which will blacklist a SMTP backscattering relay for the same reasons they will blacklist a promiscous one. So this unfixed vulnerability could have an increasingly detrimental effect on your ability to operate a viable mail service.

To be secure in this respect, email to a non-existent address within one of your domains should always be rejected and never bounced.

(Log in to post comments)

Qmail backscatter spam

Posted Aug 31, 2006 17:00 UTC (Thu) by RussNelson (guest, #27730) [Link]

The solution to this problem is not to enable dictionary attacks, but is instead to not reply to forged emails. If an ISP claims to not want backscatter spam, and yet isn't signing emails using DomainKeys, then their claim is not plausible.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds