Avian’s Blog

For a week or so I've been having terrible problems with backscatter (of the email kind, not Rayleigh). I'm receiving hundreds of mails per day to my personal email address from various misconfigured mail servers around the world, telling me that mails I have never sent didn't found their recipients. This has made my mailbox more or less useless until I implemented some filtering over the weekend (if you've sent me a mail - I'm just now going over my cleaned inbox).

It turned out filtering this kind of traffic is quite tough if you don't want to miss out genuine error reports. Not to mention that it really messed up my Bogofilter state. Since I didn't mark those error reports (which contained attached spam) as spam it learned from them and got the idea that I changed my mind and like getting Viagra offers after all.

I don't know what caused this flood of messages. It's suspicious that it started approximately at the time my mail server went down for a couple of hours 10 days ago. However I don't see how that could be related - I have a secondary mailserver in the DNS MX record, so no mail sent to addresses at tablix.org bounced or was lost.

It's also interesting what kind of garbage I got. Most common are of course the ordinary "Undelivered Mail Returned to Sender" and similar messages (usually because the mailbox is over quota). But after digging a through it I also found a surprising number of "Message you sent blocked by our bulk email filter". It looks like some companies actually reply to each and every spam message they get. Unbelievable.

Then there are more personal messages like "please forward all emails sent to this current email address to...", "thank you for contacting us about...", odd errors like "error writing message: File too large" and this gem:

Use of uninitialized value in numeric ge (>=) at /etc/smrsh/vacation.pl
line 187.
Use of uninitialized value in fcntl at /etc/smrsh/vacation.pl line 238.
Use of uninitialized value in fcntl at /etc/smrsh/vacation.pl line 252.
untie attempted while 1 inner references still exist at
/etc/smrsh/vacation.pl line 202.

So anyway, if by any chance you're running your own mail server, you should make sure that you don't do stuff like that. Read at least the FAQ about backscatter and don't use silly scripts. The first sanity check is quite easy. Fire up a telnet client and try to send mail to a bogus address. You should be rejected right after the RCPT TO step, not later notified by mail:

$ telnet mail.tablix.org 25
Connected to mail.tablix.org.
Escape character is '^]'.
220 chandra.tablix.org ESMTP
MAIL FROM: someone@example.com
250 OK
RCPT TO: foo@tablix.org
550 Unrouteable address