Avoiding spam bounces

With help from the Exim user’s list, I’ve prevented the constant annoyance of many domain owners: bounces from spam pretending to be from your domain! Unless you have your own domain name and suffer from spam and bounces from spam pretending to be you, this will be very dull.

However, if you do suffer from spam-bounces and use Debian & Exim, this may be the answer you are looking for.

The problem

I run my own mail server, have my own domains, and generally have complete control over my email. Part of the reason I went down this route is because it’s nice to have your own domain, but you end up getting a lot of spam. If your domain has been around since 1999, there is no way of avoiding it.

Having got a great Debian Linux set up from Bytemark, it comes with Exim (Mail Transfer Agent), and although I am not a sys-admin, it is fairly easy to set up Spamassassin and ClamAV to protect your inbox.

However, when some bloody spammer decides to use your domain as the reply address for their spam, you will receive hundreds or even thousands or bounces to random addresses at your domain. Wonderfully meaningful addresses such as “ccumcrt@mydomain.com”.

Last year I got about ten thousand bounces in 3 weeks, and then it stopped. This year I’ve been getting about 20 a day – very annoying because they aren’t actually spam, they are replies to spam.

Where and who solved the problem

Well, it wasn’t me! Did I mention I’m not a sys-admin?

I joined the Exim users list, investigated and Googled first, checked the docs (I’ve not been told to RTFM yet), and then posted my question.

I’m very glad to say I got a good response, lots of help from an active community. Special thanks go to Jakob Hirsch who’s first reply contained the best answer.

There were quite a few replies, and if you are interested in Exim configuration and whether to have a catch-all address, it is quite revealing. (The second part of the thread is in the next month.)

Solution

Jakob’s suggestion uses the fact that bounces don’t have a ‘sender’ header (examining the ones I’ve received confirms this), and combining this with the random local addresses, it gives this configuration to add to the ACL check_rcpt config file (on Debian that’s the 30_exim4-config_check_rcpt file).

deny
  senders = :
  ! local_parts = known@email.address : another@known.address
  message = This address never sends out mail, so it cannot get bounces.

Another poster provided a page which is trying to do something quite similar, but didn’t seem to work for my setup.

Jacob’s suggestion didn’t work exactly, but with a few experimental tries and combining with other replies, this is what works for me:

  deny
    senders = :
    !local_parts = ac : (other 'local parts' before the @, in a colon separated list.)
    message = This address never sends outgoing mail. \
              You are responding to a forged sender address.
    log_message = bogus bounce for system user <$local_part@$domain>

This basically says “if there is no sender and it doesn’t match a local address, then reject it”.

For full domain references you would use:

!recipients = user1@example.com : user2@example.net

Later down the thread there is a method for using your alias file instead of hard coding the potential addresses. I couldn’t get that working with my multiple domain alias files, but if I do I’ll update this page.

Fingers crossed it seems to be working, although my tests are probably quite basic:

1. Can I send email?
2. Can I receive email?
3. Can I receive a legitimate bounce? (I emailed a non-existent address at work)
4. Does it reject a bounce to a non-local address?

List of bounce subject lines

Just in case it turned out to be useful (e.g. for filtering), I kept the bounces. In case anyone finds it useful, here are the key ones that cover most of the bounces I received:

• DELIVERY FAILURE: (subject)
• Delivery Notification: Delivery has failed
• Delivery failure: Returned to Sender
• **Message you sent blocked by our bulk email filter**
• Delivery Status Notification
• Delivery Status Notification (Failure)
• Mail System Error – Returned Mail
• Mail delivery failed: returning message to sender
• Returned mail: User unknown
• Returned mail: see transcript for details
• Undelivered Mail Returned to Sender
• failure notice

This was taken from a grep of the folder I filtered them into, I’ve got the full list if anyone wants it, but most of the rest just had the subject from the initial email.

---

Tags:

• spam
• Email bounces
• exim