Sender Checks

Postfix, our MTA (Mail Transport Agent), provides additional rules that make decisions on how email is handled. By default, we turn these rules off, but our anti-spam system allows you to enable them.

These rules rely on the fact that most legitimate emailers will use software that conforms to RFCs (standards agreed upon and enforced by system administrators).

The rules are applied in the order listed below; that is, an email message must pass each test before the next one is applied. Any messages sent to you that are rejected by any of these rules are thrown away and these emails will NOT show up in your quarantine digests.

Each rule also has its own potential for false positives (legitimate email that is not delivered because of anti-spam rules).

Reject Unknown Clients

This setting allows you to reject email from senders that do not have a proper name tied to the IP address of their outgoing email server.

Every computer on the Internet has a unique address known as its IP address. Any server that is sending legitimate email should have its IP address tied to a domain name. This is done via a service called DNS, or Domain Name Service. Many spammers do not have any DNS information attached to their IP address, or the information is misleading.

When a server sends mail to you, we perform a reverse lookup of its IP address to see if it has valid DNS information. You can use this setting to block email sent from servers that either do not have DNS information avaliable or have misleading DNS entries.

More information on reverse DNS checks can be found at Wikipedia.

Impact

We estimate that enabling this option may block around 1% of legitimate email but could also be effective in blocking more spam from reaching your email INBOX. This can add up to a lot of legitimate email, especially from mail servers using unreliable DNS servers or that refuse to put their reverse DNS in place correctly.

Reject Invalid or Missing Hostnames

This setting allows you to reject email from senders that provide invalid information about the hostname from which they are being sent.

When a sending server connects our mail servers, the first thing we require it to do is identify itself. The sending server announces its hostname with a "HELO" or "EHLO" command. Most legitimate email servers include in this command their complete domain name. This domain name is in a very specific format. Spammers often use buggy or hastily written software that does not bother to send a proper EHLO. Often, they send a single name (e.g. "server1") or a random number. This setting allows you to block email sent from servers that do not annouce their hostname properly when they identify themselves.

Impact

Enabling this option is very effective at catching spam generated by computer viruses. It is not particularly effective at blocking spam overall, and can block a fair amount of legitimate email.

Reject Unknown Hostnames

This setting allows you to reject email from servers that use hostnames that don't exist.

When a sending server announces its hostname, our server checks to see if that hostname has DNS information. Many spammers know that servers will block mail from people that do not use a proper EHLO (discussed above). They try to trick those servers by sending a hostname that's formatted correctly, but doesn't actually exist (e.g. "thisisafakehostname.com"). You can use this setting to block email from servers that use fake or incorrect hostnames when they identify themselves.

Impact

This option can block a lot of legitimate email, and is not particularly effective at blocking spam. It's not recommended.

Reject Non-FQDN Hostnames

This setting allows you to block email that does not appear to be coming from a specific server at a particular hostname.

When a sending server announces its hostname, it is supposed to send the entire address of the email server, not just the domain name (e.g. mail.example.com rather than just example.com). RFC compliant email servers will send this information in a specific format. This is called a "Fully Qualified Domain Name" (FQDN). Many spammers do not provide complete or correct information; they just use the top level domain name. This setting allows you to block email from a sender that does not provide an FQDN.

Impact

This option can block a fair amount of legitimate email, but it also blocks a fair amount of spam that would otherwise get through.

Reject Unknown Sender Domains

This setting allows you to reject email from email addresses that aren't properly set up to receive email.

Anyone can send email from a legitimate server using any email address as their FROM address. Spam can come from a legitimate email server and from a valid user of that server, but it can have a deceptive or fake FROM address. This spam would bypass any of the above checks although it would be traceable back to a specific user at an Internet Service Provider (ISP). We check the domain name after the @ sign given in the FROM email address to see if that domain has proper DNS information.

First, our email server checks the DNS "root name servers" to see if the domain in question exists.

If the Domain does, then our server asks that domain's DNS server for its information.

If the root name servers return an error that the domain does not exist, the email will be rejected as the domain is not known.

If the root name servers state that the domain exists, and there is a problem with the server that handles DNS for that domain, our mail server will ask the sending server to resend the message at a later date. The email will not be rejected, it will only be delayed until that DNS server starts working. This is to keep legitimate mail from being stopped due to a malfunctioning DNS server.

You can enable this option to reject email from domains that do not actually exist.

Impact

This can cause a small number of false positives because someone may send an email out using a new email address before their domain has been set up properly in DNS. It is, however, very effective at blocking spam. Because we are an ISP, and are constantly adding new domains, we do not turn it on by default.