How To Handle Excessive Amounts of Non-Delivery Reports

Sooner or later it might happen to you: a spammer or a virus is using one of your email addresses as From: address, and you get thousands of non-delivery reports from all around the world.

Mail servers try to deliver mail as fast as possible, and so they open more than one connection to your mail server. If a server has thousands of non-delivery reports queued for you, it can easily happen that this server alone is capable of pushing your server to its limit with spam filtering and anti-virus checking for several hours. During this time, your legitimate incoming mail traffic might be slowed down to a trickle.

CleanMail provides the means to reduce the impact of this problem.

Using the Host Blacklist

If you take a look into the CleanMail log, or in the "top senders" list, you will usually find a pattern: only a few badly configured mail hosts are the source of these mails.

Sometimes it might help to send the administrator of these sites a mail to inform them of the errors of their ways (they could have rejected the mail outright, instead of accepting it and sending a non-delivery report to the wrong person afterwards), but this is rarely successful.

Instead, put the name or the IP address of the offending mail host onto your host blacklist. After restarting the CleanMail service, every attempt to send a message to your site from this host will fail with an error response. After a few days you can try to revoke this restriction.

The host blacklist setting also supports wild card characters. Use 11.22.33.* or similar to reject IP address ranges, or *.server-pool@somesite.tld to reject multiple servers by name.

Using the NDR Connection Limit

Unless you are a spammer yourself, any mail you send should not result in the return of more than a few non-delivery reports. Whenever a mail server tries to send you 5 non-delivery reports at the same time, it is safe to assume that you don't want to receive them. By setting HostNDRConnectionCount to a small numeric value (in the range of 1..2), only 1..2 simultaneous connections sending a non-delivery report are allowed, all others are delayed with a temporary error response. This way, no non-delivery report is lost, while a single server can no longer use up your mail server's resources just with (in most cases useless) non-delivery reports.

Using the Connection Limit

This setting works similar to the NDR Connection Limit setting, with the difference that the limit is not applied to non-delivery reports only, but to all kinds of mail delivered. In effect, it limits the number of simultaneous connections from the same mail server.

NAT and Traffic Limiting

If you use a firewall with network address translation (NAT), CleanMail will no longer be able to see the real host address of the incoming connection, instead all incoming connections are forwarded from the firewall. The incoming host addresses in this case will be in one of the address ranges reserved for private networks, ie. 10.x.x.x or 192.168.x.x.

In this case, you can use only host names when configuring the host blacklist. To prevent you from shooting yourself in the foot (by blocking all incoming mail), IP addresses in a private network will be silently ignored by CleanMail.

Closing Remarks

Your feedback is welcome! Please submit hints and suggestions to .