cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5079
Views
0
Helpful
11
Replies

Bounce Verification

Jason Meyer
Level 1
Level 1

I am looking at setting up Bounce Verification. I am reading that it works basically by adding a tag to the outgoing MAIL FROM header. Does the recipient then see this as the from address?

Before tagging, jason@myhost.com
After tagging, prvs=jason=tag@myhost.com

11 Replies 11

Douglas Hardison
Cisco Employee
Cisco Employee

Hi Jason,

Short answer: no.

Long answer:
When sending email with bounce verification enabled, your IronPort appliance will rewrite the "Envelope Sender" address in the message.

The "envelope sender" field does not have to match the "From" header. The "From" header is the field which email clients usually display.

The "envelope sender" field is used in the early stages of the SMTP conversation, and saved as the "Return-Path" header. The "Return-Path
" field holds the address to which mail systems should send bounce messages — reporting delivery-failure or success.

Hope that helps.

-whardison

Jason Meyer
Level 1
Level 1

Thanks -whardison

OK, so if I have it setup correctly should I see the tag in the "Return-Path" header on the recipient end like I indicated in my first post?

The issue that I am trying to resolve is occasionally a few of our users get hit with what I believe are "backscatter" or "Joe Jobs", they will have thousands of delivery failures for e-mails they never sent.

Is Bounce Verification the best that IronPort has to defend against these?

Looks like by the Poll I posted that most people are not using Bounce Verification.

I am also looking at blocking all e-mail that has a null From: header. But I currently understand that this would probably block legitimate delivery failures, true?

Thanks again for the response and if anyone else has any ideas on how to prevent this please don't be afraid to share your ideas.

steven_geerts
Level 1
Level 1

HI!

One serious drawback of this system is that on some Outlook clients messages send with BV turned on are displayed as "send on behalf of" (the original originator).

I think that's the main reason why 90% of is is not using it.

Regards, Steven

Douglas Hardison
Cisco Employee
Cisco Employee

Thanks -whardison

OK, so if I have it setup correctly should I see the tag in the "Return-Path" header on the recipient end like I indicated in my first post?

correct.


The issue that I am trying to resolve is occasionally a few of our users get hit with what I believe are "backscatter" or "Joe Jobs", they will have thousands of delivery failures for e-mails they never sent.

Is Bounce Verification the best that IronPort has to defend against these?

Yes. And it works quite well.

Looks like by the Poll I posted that most people are not using Bounce Verification.

I am also looking at blocking all e-mail that has a null From: header. But I currently understand that this would probably block legitimate delivery failures, true?

True, if you plan to use a filter to do so. Null sender is commonly used in legitimate bounces.
This is a primary point for using BV. If the message comes in with a null sender (bounce), but does not contain the BV tag, it will be rejected by the IronPort. No filter needed.



Thanks again for the response and if anyone else has any ideas on how to prevent this please don't be afraid to share your ideas.

Jason Meyer
Level 1
Level 1

I would think that IronPort could utilize the message logs and do a check on Delivery Failure e-mails. Check to see if the recipient of the delivery failure actually sent an e-mail causing the bounce back. If nothing is in the outgoing logs then it must not be legitimate?

Why wouldn't this work?

HI!

One serious drawback of this system is that on some Outlook clients messages send with BV turned on are displayed as "send on behalf of" (the original originator).

I think that's the main reason why 90% of is is not using it.

Regards, Steven


Really?! this is pretty bad then and would be a reason why we wouldnt implement. I chose no currently.

Whats everyone elses experience of BV?

jasongurtz
Level 1
Level 1

What's great is we no longer get bombarded with blowback from some cretin's spam run that forges one of our addresses as a sender.

People interested in the details should see these (at least I think that's the scheme Ironport is using):
http://mipassoc.org/batv/
http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation

I can't think of why people would be getting errors about sent on behalf of. Are people filtering with an Ironport in-between their internal exchange boxes? That would seem more appropriate with an exchange hosted filtering solution along the lines of Forefront or innumerable others.

As you can see looking at http://mipassoc.org/batv/deploy/index.html we should feel lucky to have this since most other anti-spam vendors don't offer this technology in their appliance or software. Who knows why? This is really a win all around since there's almost no reason not to use it. The only things that get broken are techniques that are not best practice/not recommended such as call-back verification or Challenge-response systems.

david.shoesmith
Level 1
Level 1

I voted Yes. Although I do have a case logged with Ironport regarding this. See my thread about Problem with Bounce verification.
Since we implemented Bounce verification we have seen a huge reduction in what I call Bounce spam. We were getting hit fairly hard with this and turning on bounce verification has helped.

Regards,

David

santoshkumar
Level 1
Level 1

Did any one help that if i enable bounce verification, than it `ll affect distribution id that have sending restriction for some user in msexchange. i.e
mail send by those authorised user to get also bounced.
i m using one c350 only for incoming & internal traffic, & 2nd ironport ESA c350 only for outgoing emails.

Thanks
Santosh

david.shoesmith
Level 1
Level 1

As long as both the ESA's have the same tag configured you should have no problem.
However, it mught be a good idea just to test it on a few accounts first to make sure all is working as it should.

I have found that I have had to turn off Bounce Verification for some destinations as users who are members of lists are unable to send because the list server does not recognise the sending address.

Regards,

David

Just an update from my end of things. I have enabled this now and can confirm its working great for us. I have had to exlcude a couple of domains from it for troubleshooting but otherwise all good. Nice feature :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: