In SMTP, how does one choose between "Accept than Bounce" vs "Bounce at the edge"?

email smtp rfc

There seems to be a variety of implementations of SMTP that either immediately reject a message, and others that do an accept, then bounce the message.

Operationally, the accept-than-bounce is a little harder to use since the headers are usually more complex.

  • What are some reasons someone would use an accept than bounce, or a bounce immediately architecture?

  • What are some examples of faulty thinking? (e.g. accept than bounce can detect invalid email addresses if a unique sender is set .. VERP)


The preferred option is to bounce immediately at the Internet gateway. This results in a failure for the server (most likely a spambot) that you are rejecting. However, it is simpler to use this to check for the existence of an email address.

Accept and bounce is simpler for the Internet gateway, but generates back scatter spam. In effect, you make your server assist in distributing spam. This is because it is easy to forge the addresses used to route the bounce message. This approach can make it more difficult to determine if an address is valid as you need to use a valid email address as the sender.

The VRFY option was originally intended to be used to verify the existence of an address. It worked well when the system administrators more or less knew each other. Now that almost anyone can setup a mail server, the required trust no longer exists. Various techniques can be used deal with this. Some of these are:

  • blacklisting or otherwise penalizing hosts which try to many addresses without sending a message.
  • seeding the network with email address which will only be used spammers. These can be used to identify hosts sending spam. (However, freemailers are likely to be caught by this rule.)
  • greylisting addresses. This can require multiple tries to validate an address.
  • accepting all recipients and dropping delivery to invalid addresses. At least one mail server I use does this. The server I manage does this with some recipients known to only receive spam.

Don't do accept-and-bounce, do as much filtering/rejecting at connection time as possible. This helps to prevent Backscatter Emails and Joe Jobs, and keeps unwanted email out of your mail system.

Related

Usefulness of a new stratum-1 NTP server
In resolv.conf, why do my search domains have a period after them?
How many power circuits do I have in a rack?
Determine the OS version of an OEL linux box?
puppet cert list -all: Error: header too long
How to IP restrict access to a website in IIS8,5 (Windows 2012R2)
how to avoid timeouts during server reboot
Should I need to provide a root certificate when setting SSL cert on nginx
how to choose the correct repository for new software on Centos
Is file /etc/hostname ever used for host name resolution?
What is VSS and what is it used for?
How do I shut down a Windows XP box remotely from a Linux box?