Why an empty MAIL FROM address can sent out email?
Solution 1:
The empty MAIL FROM
is used for delivery status notifications. Mail servers are required to support it (RFC 1123 section 5.2.9).
It’s used primarily for bounce messages, to prevent an endless loop. When MAIL FROM
is used with an empty address (represented as <>
), the receiving server knows not to generate a bounce message if the message is being sent to a non-existent user.
Without this, it might be possible for someone to DoS you simply by faking a message to a non-existent user at another domain, with a return address of a non-existent user at your own domain, resulting in a never-ending loop of bounce messages.
What would happen if you block messages with an empty MAIL FROM:
?
- Your users would not get bounce messages from other domains: they would never know if they made a typo when sending mail to a user at another domain.
The empty MAIL FROM:
messages that you are seeing are probably not coming from a spammer.
Instead, a spammer has faked an address at your domain and used it as the return address for a message to another domain. Let’s say you are yourdomain.com
and my domain is mydomain.net
. The spammer sends a message to [email protected]
, faking the return address as [email protected]
. Since there is no user johnq
in my domain, my mail server sends a bounce message (MAIL FROM:<>
) to the apparent sender, [email protected]
. That is what you are probably seeing.
Blocking empty MAIL FROM
messages will do more harm than good, in my opinion. Spammers, in my experience, rarely use an empty MAIL FROM:
since they can easily fake a real-looking address. When the message is actual spam, there are far better ways to detect and block it, including RBLs, Bayesian filters, and SpamAssassin.
And finally, you can prevent at least some of the forgeries using yourdomain.com
by setting up proper SPF records for your domain.
Update: After looking closer at your log, someone was able to AUTH
using a valid username and password for your server. This puts it in a whole other category of trouble. However, everything I said about MAIL FROM:
still stands. 99% of the time it’s going to be the result of bounce messages.
Solution 2:
You can search option for you mail server to limit MAIL FROM to authenticated user e-mail. Many mail systems apply that limitation.
And so,force hacked users to change password.