Backscatter
"Backscatter" refers to response messages that your users receive to emails that they never sent. This occurs when spam messages or messages sent by viruses contain a "Return-Path" address that is forged. Consequently, when one of these messages is rejected by the recipient's server, or if the recipient has an autoresponder or "out of office"/vacation message associated with his account, the response message will then be directed to the forged address. This can lead to huge numbers of bogus Delivery Status Notifications (DSNs) or auto response messages ending up in your users' mailboxes. Further, spammers and virus authors frequently take advantage of this phenomenon and will sometimes use it to launch Denial of Service (DoS) attacks against email servers, causing a flood of invalid emails to arrive from servers located all over the world.
Backscatter Protection
To combat backscatter, SecurityGateway's Backscatter Protection (BP) feature can help to ensure that only legitimate Delivery Status Notifications and auto responders get delivered to your domains, by using a private key hashing method to generate and insert a special time-sensitive code into the "Return-Path" address of your outbound messages. Then, when one of these messages encounters a delivery problem and is bounced back, or when an auto-reply is received with a "mailer-daemon@..." or NULL reverse path, SecurityGateway will see the special code and know that it is a genuine automated reply to a message that was sent by one of your domains. If the message doesn't contain the special code or if the code has expired, it will be logged and can be rejected.
Configuration
Enable Backscatter Protection
Click this checkbox if you wish to enable Backscatter Protection. SecurityGateway will then begin to generate and insert a special code into the return path of all outbound messages, and it will look for that code in all returned messages. Backscatter Protection is disabled by default.
|
If you disable this option, SecurityGateway will not insert the special Backscatter Protection code into outgoing messages. It will, however, continue to check incoming DSNs and auto-response messages to ensure that any incoming message with a valid code is not rejected by mistake. |
Reject messages that fail Backscatter Protection verification
Click this checkbox if you wish to reject DSNs or other auto-response messages that fail BP verification. Messages with a "mailer-daemon@..." or NULL reverse path will fail if they do not contain the special code or if the code's life-cycle has expired. Because of Backscatter Protection's solid reliability, there are no false positives or "gray areas" — a message is valid or it isn't. For this reason it is safe to configure SecurityGateway to reject invalid messages, as long as you ensure that all of your outbound messages contain the special BP code. In all cases, however, the result of BP verification will be logged, even when you choose not to reject messages that fail verification.
|
When you enable Backscatter Protection, you should usually wait about a week before setting it to reject auto-response messages that fail BP verification. This is because during that time you might still receive DSNs or auto-responses to messages that were sent out before Backscatter Protection was activated. If it were configured to reject invalid messages during that time then those legitimate response messages would be rejected by mistake. After a week it should be safe to start rejecting messages that fail verification. This same warning applies when you create a new BP key but elect not to use the Retain previous Backscatter Protection encryption key for [xx] days option. |
Click here to immediately generate a new Backscatter Protection encryption key
Click this option to manually generate a new Backscatter Protection key. If the Retain previous Backscatter Protection encryption key for [xx] days option below is enabled, messages containing codes generated by the previous key will remain valid for the number of days designated in that option.
Exclusions
Exclude messages from globally allowlisted IP addresses and hosts
By default, when Backscatter Protection in enabled, all messages coming from globally allowlisted IP addresses and hosts are excluded from Backscatter Protection restrictions. Clear this checkbox if you wish to require even allowlisted IPs and hosts to adhere to these restrictions.
Exclude messages from authenticated sessions
When an incoming message is being sent over an authenticated session, it will be excluded from the Backscatter Protection restrictions by default. Uncheck this box if you wish to apply the restrictions to authenticated sessions as well.
Exclude messages from domain mail servers
When Backscatter Protection is enabled, incoming messages from one of your domain mail servers are excluded from Backscatter Protection restrictions by default. Clear this checkbox if you do not wish to exclude domain mail servers from Backscatter Protection checks.
Message Return Path Signing
Create a new Backscatter Protection encryption key every [xx] days
By default a new Backscatter Protection encryption key will be generated every 7 days. The new key will be used to generate the BP code for all new outgoing messages.
Retain previous Backscatter Protection encryption key for [xx] days
By default SecurityGateway will continue to validate messages containing a Backscatter Protection code that was generated with the previous encryption key for 7 days after a new key encryption key is generated. This helps to ensure that valid messages do not inadvertently get rejected whenever a new key is generated. Disabling this option is not recommended (see the warning under the Reject messages that fail Backscatter Protection verification option above).
Do not return-path sign messages to the IP addresses or domains listed below
Use this option to specify any IP addresses and domain names to exempt from Backscatter Protection return-path signing.
