[Dovecot] Using Dovecot-auth to return error code 450 (or other 4xx) to Postfix when user is on vacation

IVO GELOV (CRM) ivo at crm.walltopia.com
Mon Jan 16 11:38:01 EET 2012


On Sun, 15 Jan 2012 23:50:02 +0200, Mark Sapiro <mark at msapiro.net> wrote:

> On 11:59 AM, Charles Marcus wrote:
>> On 2012-01-14 12:23 PM, IVO GELOV (CRM) <ivo at crm.walltopia.com> wrote:
>>> I have downloaded the latest version 4.0 - but it seems there is no
>>> way to prevent spammers to use forged email addresses. I decided to
>>> remove the vacation feature from our corporate mail server, because
>>> it actually opens a backdoor (even though only when someone decides
>>> to activate his vacation auto-reply) for spammers and puts a risk on
>>> the company (our server can be blacklisted).
>>
>> Sorry, I misread your message...
>>
>> However, (I *think*) there *is* a simple solution to your problem, if I
>> now understand it correctly...
>>
>> Simply disallow anyone sending from an email address in your domain from
>> sending without SASL_AUTHing...
>
>
> I don't see how this will help. The scenario the OP is concerned about
> is spammer at foreign.domain sends a message with forged From: and maybe
> envelope sender victim at other.foreign.domain to his user on vacation. The
> vacation program sends an autoresponse to the victim.
>
> However, why worry about this minimal backscatter? A good vacation
> program will not send more that one autoresponse per long time (a week?)
> for a given sender/recipient and won't include the original spam
> payload. So, even though a spammer might use this backdoor to cause your
> server to send messages to multiple recipients, the messages should not
> have spam payloads and shouldn't be sent more that once to a given end
> recipient.
>

The limitation of 1 message per week for any unique combination of sender/recipient
does not stop backscatter - because each message can come with a new forged FROM address,
and from different compromised mail servers.
The spammer does not have control over the body of the auto-replies (which is something
like "I am not at the office, please write to my colleagues"), but it still
may cause the victims to take some measures.



More information about the dovecot mailing list