This new External Agent (download from here) can help with reducing the damages of “backscatter”, a phenomenon that occurs when a spammers sends forged emails in the name of your domain. Given a sufficiently large amount of forged emails, some of these will be undeliverable, resulting in tons of Delivery Status Notifications (DSNs) flooding your servers. As the DSNs are coming from otherwise legitimate servers, IP-based filtering is no big help here and neither the other tools of ORF, except this new one.
The idea behind the agent is that most DSNs contain the original email and this allows the agent to check if the original email is from your network, by examining whether it shows properties unique to your network.
This agent checks specifically for the Message-ID email header, which has a unique format pattern for every network/server. The agent extracts the Message-ID headers from the bounce report, and matches them with your unique pattern. If none of the Message-IDs are like your pattern, the agent reports that the original email was probably from another network—in other words, it’s a backscatter DSN.
Note that this concept of backscatter detection has not been tested in production enviroments and due to this, we call the agent “experimental”. Finding every Message-ID pattern for your email infrastructure can be quite a challenge, depending on how heterogeneous your network is. This is because the Message-ID may be generated by either the email client (MUA) or the email server (MTA). Neither Outlook, nor Outlook Express generate a Message-ID on their own, but Mozilla Thunderbird does. Without knowing what email clients are used in your network and how they behave, you cannot reliably tell your Message-ID patterns. For example, ISPs have no chance to use this agent.
Despite this limited use, we think the agent may be useful for many smaller networks. Also, there are several ways how we can improve the original idea, for example, by recording the Message-IDs of all outgoing emails in a database or by checking other email properties, but these solutions come at a higher cost—let us know if the agent does not work for your and why, so that we can improve it to cover your requirements.