Your Linux Data Center Experts

I installed some capacity analysis software, which I'll probably write about shortly, on our mail server yesterday. Part of that was that I found that there were over 30 messages in the mail queue. All of these were bounces related to spam, which couldn't be delivered because of the sender address wasn't valid. So I decided to do a little survey to see how much of our e-mail comes from invalid senders…

I wrote a quick Python program that, given an e-mail address, would contact the domain's mail server(s) and then ask if it would accept e-mail for that address. I pulled sender addresses from our mail logs over the last week to feed the system and then fired it off to check the addresses.

I started it off running and went to bed. When I got up, it had only made it 15% of the way through the 26,093 addresses. So, I converted from sequential-processing to running 50 checks in parallel. While the checks used up 40% of the CPU time on a fairly speedy box, it was able to complete 97% of them within an hour. The remaining few percent took 2 more hours.

Here's how the results came out:

  • Total sender addresses checked: 26,093
  • Mail servers which accepted the sender address with a 2xx or 4xx response: 10,789
  • Sender address which had servers which accepted an SMTP connection: 22,562
  • Obvious addresses that were rejected with a 5xx response but I wanted to get e-mail from anyway: 16

So, clearly there could be a huge benefit for a mail server to check the sender's address against the published MXs, and reject messages which do not have a valid sender. On the other hand, if this is prevalent it would make it easy for a spammer to DDoS a domain's mail server. On the other other hand, if you put these checks after SPF and Greylisting, the attacked domain would just have to publish a (even passingly) valid SPF record to shut down the attack.

I'll probably be trying this on some test domains by writing a Postfix external policy filter, to test it out. It's worth trying at least. And it's not like nobody is currently doing this. Exim I know can be configured to do this.

comments powered by Disqus

Join our other satisfied clients. Contact us today.