Preventing Backscatter in MailEnable.


Backscatter is where bounced messages are sent to someone who is not the original sender. This is done by sending email through an mail server and using a "victims" email address as the sender. If the mail server accepts this message and then generates a bounce message, it will be sent back to the email address given in the original connection. Since this address may not be the actual senders email address, a third innocent party may get the bounce message. Backscatter can be used to deliver spam, since the bounce will likely have details of the original message (or a full copy of it), and also is a side effect of spam.


There are a few ways backscatter can occur in MailEnable, and below is a list of these plus the configuration method to prevent the bounce:

Cause - If a valid user authenticates with their username and password via SMTP but uses another remote address as the actual envelope sender of a message, then the SMTP service will accept the email and may deliver a bounce to the remote sender (not any of the email addresses for the user).

Solution - Under the SMTP options there is a checkbox labelled "Authenticated senders must use valid sender address". This prevents users from pretending the sender is an email address which is not registered on the server.

Cause - If an email is sent to a mailbox that is over quota, then a quota notification message is sent.

Solution - Configure the postoffice connector to only send quota notifications to the mailbox.

Cause - If an email is sent to a mailbox that is disabled it can generate a delivery failure message.

Solution - Either remove the external email addresses for the mailbox so that the SMTP service does not accept the email, or configure the postoffice connector to not send NDRs (this will not affect the normal NDRs that the SMTP service generates, just failures to disabled mailboxes).

Product:MailEnable (ME-Any ME-1.X ME-2.X Std-Any Std-1.X Pro-Any Pro-1.X Pro-2.X Ent-Any Ent-1.X Ent-2.X)
Class:HOWTO: Product Instructions
Revised:Saturday, January 4, 2020