Configuring Backscatter to prevent MDaemon accepting bouncebacks for emails it never sent

Often spammers and viruses will use valid domains as sender addresses to route spam / viruses out so they don’t have to deal with the bounce backs (Backscatter) that are generated by receiving mail servers when this mail is addressed to invalid email addresses. If the spammer or virus has used your domain as the sender, this results in you receiving bounce backs messages in your mailbox for email that you never sent. MDaemon includes Backscatter protection to help prevent these bounce backs being accepted.

When Backscatter protection is enabled MDaemon will add a special Backscatter protection code into every outgoing messages Return-Path address. This code includes a private key which is unique to your MDaemon server and time-specific information. If you then also configure Backscatter to reject bounced email that arrives at MDaemon that it didn’t generate, Backscatter will check any email that arrives with a MAIL FROM address of either “mailer-deamon@” or a NULL reverse path (no Return-Path value) to ensure the associated RCPT TO value contains the Backscatter protection code it generates. If no such code exists in the RCPT TO value then MDaemon knows it didn’t generate the original email that the bounce back refers to and will refuse to accept the bounce back.

IMPORTANT: As MDaemon adds Backscatter protection code to email it sends out and checks incoming email for this code, for it to work effectively MDaemon should be configured to route outbound email directly to receiving mail servers and accept mail directly from receiving mail servers – that is, it should hold the domains MX record. 

ENABLING BACKSCATTER:

Backscatter is located in the MDaemon UI at Security -> Security Manager -> Other -> Backscatter Protection:

Enable Backscatter Protection

Click this checkbox if you wish to insert a special Backscatter Protection code into each outgoing message’s Return-Path address. MDaemon will generate this special code by using a unique private key and the code will be valid for seven days. Any incoming bounce backs or other auto-response messages (with a “mailer-daemon@…” or NULL reverse path) must then have a valid, non-expired BackScatter Protection code or they will fail BackScatter Protection verification.

Apply Backscatter Protection to gateway domains

When Backscatter Protection is enabled, click this option if you also wish to apply it to domains for which MDaemon is acting as a gateway or backup server.

Reject messages that fail Backscatter Protection verification

Click this checkbox if you wish to reject bouncebacks or other auto-response messages that fail Backscatter verification. Messages with a “mailer-daemon@…” or NULL reverse path will fail if they do not contain the special code or if the code’s seven day life-cycle has expired. Because of Backscatter Protection’s reliability, there are no false positives or “grey areas”—a message will either be valid or not valid. For this reason it is safe to configure MDaemon to reject invalid messages, as long as you ensure that all of your accounts’ outgoing messages contain the special Backscatter code (see IMPORTANT note above for details). In all cases, however, the result of Backscatter verification will be logged into the \MDaemon\Logs\MDaemon-SMTP(in).log file. Even when you choose not to reject messages that fail verification.

Allowing time for BackScatter Protection to apply:

When you enable Backscatter Protection, you should wait about a week before setting it to reject invalid bounce backs or auto-response messages. This is because during that time you might still receive valid bounce backs or auto-responses to messages that were sent out before BackScatter was activated. If Backscatter was configured to reject invalid message during that time then those legitimate response messages would be rejected by mistake.

Creating a new BackScatter Protection key:

The Backscatter Tab in MDaemon has an option to generate a new Backscatter protection key. To help ensure that spammers/viruses don’t try to start using your unique Backscatter protection key it’s recommended to periodically create a new key. This key is used by MDaemon to create and then verify the special Backscatter Protection codes that are inserted into messages. When the new key is generated, a box will open to inform you that the old key will continue to work for seven more days unless you wish to delete it immediately. In most cases you should click “No”, electing to allow the key to work for seven more days. If you choose to delete the key immediately then that could cause some incoming messages to fail Backscatter verification, since they would be responses to messages containing the special code generated by the old key.

Using a BackScatter protection key between multiple MDaemon servers or other mail servers software:

If you send email from your domain via other means like web servers or mail servers that don’t pass the mail through MDaemon first, then you need to ensure that email is also Backscatter encoded. The Backscatter key is located in a file called rsa.private in the \MDaemon’s\PEM\_batv\ folder. The other method the mail routes through would also need to be Backscatter “aware” to be able to use your BackScatter protection key in this way or Backscatter will not work effectively.