4

There seems to be a variety of implementations of SMTP that either immediately reject a message, and others that do an accept, then bounce the message.

Operationally, the accept-than-bounce is a little harder to use since the headers are usually more complex.

  • What are some reasons someone would use an accept than bounce, or a bounce immediately architecture?

  • What are some examples of faulty thinking? (e.g. accept than bounce can detect invalid email addresses if a unique sender is set .. VERP)

makerofthings7
  • 8,911
  • 34
  • 121
  • 197
  • 1
    This might be better in chat, or maybe you could explicitly state a problem that you're having with one particular configuration? – mfinni Aug 20 '13 at 17:49
  • I just want to know when to use one vs the other... – makerofthings7 Aug 20 '13 at 17:55
  • 1
    Based on the close reasons of "Too Broad" and "Opinion Based" is surprising. I had no idea that this aspect of network and email design was *subjective*, though I still believe that a rational way to choose one vs the other exists so I'll leave it up and won't delete this question – makerofthings7 Aug 20 '13 at 17:59
  • 1
    Per the Help link, it reads to me, too much like "I would like to participate in a discussion about ______”, instead of “I would like others to explain ______ to me”. I've retracted my vote, because there's a good specific answer below. – mfinni Aug 20 '13 at 18:01
  • 1
    `accept then bounce` is completely Evil. I want to null-route anyone that uses that. They make the Internet worse, by dumping their garbage in someone elses lawn. – Zoredache Aug 20 '13 at 20:32
  • @Zoredache can you explain why that's bad in detail? – makerofthings7 Aug 20 '13 at 20:50
  • 2
    I could, but I would just be regurgitating the backscatter page that Bob already linked you to. – Zoredache Aug 20 '13 at 21:03

2 Answers2

9

Don't do accept-and-bounce, do as much filtering/rejecting at connection time as possible. This helps to prevent Backscatter Emails and Joe Jobs, and keeps unwanted email out of your mail system.

Bob
  • 726
  • 4
  • 4
  • Some people have said this approach (accept and bounce) prevents Directory harvest attacks in some extent. How would you prevent against this, since this acts as VRFY in some respects. – makerofthings7 Aug 20 '13 at 21:29
  • 2
    @makerofthings7 If you're worried about directory harvesting attacks implement exponential-backoff throttling of hosts that try to send mail to invalid addresses. Accept-and-Bounce is a ***Bad Thing*** -- It violates core aspects of the SMTP RFC (you're supposed to return `5xx` for undeliverable or refused mail) and generates useless internet traffic. It also ties up space in your mail queue and makes you a viable host for use in [backscatter spam](http://en.wikipedia.org/wiki/Backscatter_(email)) like Bob said, which **will** get you blacklisted. – voretaq7 Aug 21 '13 at 13:36
6

The preferred option is to bounce immediately at the Internet gateway. This results in a failure for the server (most likely a spambot) that you are rejecting. However, it is simpler to use this to check for the existence of an email address.

Accept and bounce is simpler for the Internet gateway, but generates back scatter spam. In effect, you make your server assist in distributing spam. This is because it is easy to forge the addresses used to route the bounce message. This approach can make it more difficult to determine if an address is valid as you need to use a valid email address as the sender.

The VRFY option was originally intended to be used to verify the existence of an address. It worked well when the system administrators more or less knew each other. Now that almost anyone can setup a mail server, the required trust no longer exists. Various techniques can be used deal with this. Some of these are:

  • blacklisting or otherwise penalizing hosts which try to many addresses without sending a message.
  • seeding the network with email address which will only be used spammers. These can be used to identify hosts sending spam. (However, freemailers are likely to be caught by this rule.)
  • greylisting addresses. This can require multiple tries to validate an address.
  • accepting all recipients and dropping delivery to invalid addresses. At least one mail server I use does this. The server I manage does this with some recipients known to only receive spam.
BillThor
  • 27,737
  • 3
  • 37
  • 69