postmaster spam

This complaint has a multitude of variations but we tend to label the problem as “postmaster spam”.

Simply put, postmaster spam is any spam email that comes from a postmaster email address, whether it is the postmaster for your own domain or for someone else’s domain.

The postmaster address performs a critical role in email communication and its presence and use is prescribed in the RFCs for the SMTP protocol.

“Any system that includes an SMTP server supporting mail relaying or delivery MUST support the reserved mailbox “postmaster” as a case-insensitive local name.”

…and…

“SMTP systems are expected to make every reasonable effort to accept mail directed to Postmaster from any other system on the Internet.”

Who is the Postmaster?

The postmaster address is usually the source (or “from”) address for system generated emails such as non-delivery reports, although some email servers allow a different address to be used.

But this common usage, combined with the RFC requirements, creates a series of problems. Spammers know that the postmaster@ email address is almost always going to be valid, and email servers often treat email from postmaster@ email addresses as more trusted.

Postmaster Forgeries

One way in which spammers try to exploit this is by forging the sender address of spam to make it appear that it is coming from a postmaster@ address for a well known domain name. This is an effective technique because most email users have received genuine NDRs in the past and have at least some idea that a postmaster@ address is valid and trustworthy.

Because the human element of this exploit is so weak the best defence against this technique is to detect and block the spam before it reaches the intended victim. Anti-spam techniques such as connection filtering, content filtering, and Bayesian filtering are effective in stopping this.

Backscatter Spam

Another way spammers create “postmaster spam” is by causing NDRs, also known as backscatter spam. With this method a spammer will send email with forged sender addresses to various email systems, and when it is sent to non-existent addresses the receiving server sends back a NDR from their postmaster@ address to the forged sender address.

The person whose email address was used as the forged email address then receives the NDR, usually along with the original spam content attached or embedded. This technique is often successful because email systems don’t want to block important non-delivery reports.

Some anti-spam products specifically include protection for this type of NDRbackscatter spam through a combination of technologies. There is also an emerging technique appearing in some products that uses a header tag for all outgoing email. When an NDR comes back from an external source it can be checked for that tag. If it exists and matches a known email that was sent, then the NDR can be trusted and allowed back in to the email system. If the header tag does not exist then it is likely that the email originated elsewhere, probably from a spammer, and can be considered less trustworthy and subject to different filtering rules.

Other Postmaster Problems

The two problems that are mentioned above mostly impact end users, those who we are trying to protect from spam threats.

But another issue also exists, and that is spam addressed to the postmaster@ address itself. Because of the importance of the postmaster as prescribed in the RFC it is common for it to be exempt from any form of filtering or protection, to ensure it receives 100% of important email addressed to it.

Fortunately although this opens the door to spammers, the postmaster@ mailbox is usually only accessed by experienced administrators who are less likely to be tricked into opening spam or clicking on a phishing link. And in extreme cases the RFC does permit blocking of particularly bad sources of spam to the postmaster@ address.

And for our customers we are able to prescribe quality solutions to the problem of postmaster spam by implementing effective anti-spam systems on their networks.

Labels: