Navigation:  Security Menu > Security Settings > Other > Backscatter Protection - Overview >

Backscatter Protection

Print this Topic Previous pageReturn to chapter overviewNext page

Backscatter Protection

Enable Backscatter Protection

Click this checkbox if you wish to insert a special Backscatter Protection code into each outgoing message's "Return-Path" address. MDaemon will generate this special code by using the private key found in the rsa.private file located in MDaemon's PEM\_batv\ folder, and the code will be valid for seven days. Any incoming DSNs or other auto-response messages (with a "mailer-daemon@..." or NULL reverse path) must have a valid, non-expired BP code or they will fail BP verification.

If you disable this option, MDaemon will not insert the special Backscatter Protection code into outgoing messages. It will, however, continue to check incoming DSNs and auto-response messages to ensure that any incoming message with a valid code is not rejected by mistake.

Apply Backscatter Protection to gateway domains

When Backscatter Protection is enabled, click this option if you also wish to apply it to domains for which MDaemon is acting as a gateway or backup server (see Domain Gateways).

Reject messages that fail Backscatter Protection verification

Click this checkbox if you wish to reject DSNs or other auto-response messages that fail BP verification. Messages with a "mailer-daemon@..." or NULL reverse path will fail if they do not contain the special code or if the code's seven day life-cycle has expired. Because of Backscatter Protection's solid reliability, there are no false positives or "gray areas" — a message is valid or it isn't. For this reason it is safe to configure MDaemon to reject invalid messages, as long as you ensure that all of your accounts' outgoing messages contain the special BP code. In all cases, however, the result of BP verification will be logged into the SMTP-in log file, even when you choose not to reject messages that fail verification. Incoming messages for gateways will not be rejected unless you have checked the ...apply Backscatter Protection to gateway domains option above.

When you enable Backscatter Protection, you should wait about a week before setting it to reject invalid auto-response messages. This is because during that time you might still receive DSNs or auto-responses to messages that were sent out before BP was activated. If BP were configured to reject invalid message during that time then those legitimate response messages would be rejected by mistake. After a week it should be safe to start rejecting invalid messages. This same warning applies when you create a new BP key and choose to delete the old key immediately instead of allowing it to continue working for another seven days. (see the Create new Backscatter Protection key option below).

White List

Click this button to open the Backscatter Protection white list. Use this list to designate any IP addresses or domains that you wish to exempt from Backscatter Protection.

Create new Backscatter Protection key

Click this button to generate a new Backscatter Protection key. This key is used by MDaemon to create and then verify the special BP codes that are inserted into messages. The key is located in a file called rsa.private in MDaemon's PEM\_batv\ folder. When the new key is generated, a box will open to inform you that the old key will continue to work for seven more days unless you wish to delete it immediately. In most cases you should click "No", electing to allow the key to work for seven more days. If you choose to delete the key immediately then that could cause some incoming messages to fail BP verification, since they would be responses to messages containing the special code generated by the old key.

If you have your email traffic split across multiple servers, you may need to share the key file with all of your other servers or Mail Transfer Agents (MTAs).