Our domain names (which are quite old) are often used by spammers - who forge them in their unwanted emails. Somtimes our users get one or two a day/month - sometimes in rare cases they get thousands an hour rendering their email address unusable.
Previously it was only the older deprecated domain names which were being forged - a good way to get people to migrate to our (somewhat) newer domain. However, now the spammers are forging our current domain name.
In a previous post, I mentioned we had started to get people to enforce our SPF and SenderID settings - that's fine for those people who do enforce it. However, for the rest of the internet the only option currently available is Bounce Address Tag Verification (http://mipassoc.org/batv/
). We enabled this on our Ironports today and once again started to find problems with the implementation of SMTP and related applications elsewhere on the internet (although we are happily dropping thousands of forged bounces each day now!).
BATV changes the MAIL FROM header from firstname.lastname@example.org
to prvs=<tag>=My.Name@example.com for all mail leaving our mail servers. Any bounces which are returned to our mail servers must have the prvs=<tag>=My.Name format - otherwise we just delete them. This is fine in 99.9% of cases of course. We can change the unique tag as time goes on - in case that is forged too.
The main problem we found was a poorly implemented anti-spam technique of Reverse Address Verification - this is where when we send an email, the remote MTA initiates it's own connection back to our mail server to see if the email address is valid. We're normally fine with this - however deep within the SMTP RFC "specifications" it says that remote MTA's must not change the case of the email address (prior to the domain name). Unfortunately a few of these reverse address verification tools (eg smf-sav http://smfs.sourceforge.net/smf-sav.html
*) lower case the email address component which then means our Ironport regards it as an invalid address - ie we send out at prvs=<tag>=My.Name@example.com and smf-sav returns to try prvs=<tag>=email@example.com (Ironport says "no such address").
For some places we have gotten them to disable reverse address for our domain, for others we have not been able to find someone to do it and have just not BATV'ed email to their domain. I guess the problem is that Ironport will need to put in some tolerance (ie lower-casing) in a future release - which they have promised to do. But authors of these reverse address verification tools will need to fix their stuff up as well - which is probably pretty much impossible given that most of them are open source and installations untraceable.
Some dodgy anti-spam filters have also been dubious about the BATV-style addressing and marked our emails as spam.
One place refused to accept email which had an = in the email address component (dunno how they every received mailing list emails).
There are some mailing list software programs (eg the OpenVMS ones) which use MAIL FROM for access control. We'll have to white list that - unless they change their mailing list software to become BATV aware. Unlikely.
Still, BATV is doing it's stuff for us.