Backscatter by Misdirected Autoresponders - How to prevent this abuse
RFC 3834 states in Section 2 (When (not) to send automatic responses):
"An automatic responder MUST NOT blindly send a response for every message received. In practice there are always reasons to refuse to respond to some kinds of received messages,
e.g., for loop prevention, to avoid responding to "spam" or viruses, to avoid being used as a means to launder or amplify abusive messages, to avoid inappropriately revealing
personal information about the recipient (e.g., to avoid an automatic indication that a recipient has not read his mail recently), and to thwart denial-of-service attacks against
the responder. The criteria for deciding whether to respond will differ from one responder to another, according to the responder's purpose. In general, care should be taken to
avoid sending useless or redundant responses, and to avoid contributing to mail loops or facilitating denial-of-service attacks."
That means you are only allowed to send automatic responses if you know for sure that the sender is authentic.
Most autoresponders available at this time are incapable of doing so, and therefore using them is a bad idea and can result in a listing at ips.backscatterer.org.
There are at this time only 5 conditions, where you can safely assume the sender is authentic:
1. If the mail is only local and no external servers were involved (Local Intranet Mail).
2. If the server that delivered the mail to you is MX for the claimed sender domain.
3. If the domain part of the claimed sender address is part of the PTR of the IP which delivered the mail to you.
4. If the claimed sender domain uses trusted signatures as DKIM (Domainkey) and the sender is authenticated by that signature or key.
5. If the claimed sender domain has SPF-Records set and the IP which delivered the mail to you is EXPLICIT authenticated in the SPF-RECORD.
EXPLICIT means you must ignore weak SPF settings like "~all" or "+all" and handle those weak settings as if they would be "-all".
In any other case you are at highest risk to get listed at ips.backscatterer.org, if you send automatic answers.
This explains why we see it as abusive to send autoresponders if you have no proof the sender is authentic:
These days and ages more than 90% of all emails are spam, so that the chance for your responder to be triggered by a spammail is between 0% and 90% depending on the spamfilter you are using.
No spamfilter is perfect. If you ever got only one spammail delivered to your inbox, then it is also possible that a spammail will reach your autoresponder. Spam is not just send to you, the same
spammail that has reached you will also be received by millions of other users out there.
Those defending autoresponders are mostly reluctant to see that the resulting problem is not the one response they are sending to an email address, they can't imagine that spammers did send the
spam to millions of others too and the other active autoresponders might also answer to the same forged email address, which can easy lead to a DDOS against the poor victim of a forgery.
Would you like to find millions of emails in your inbox, where people unknown to you are informing you that they are on vacation?
Exactly that happens to the poor victims of forgeries every day because some people think they can't live without their abusive autoresponders.
The fact that stupid software like autoresponders are available doesn't mean you have to use it, and the fact that others are using such crap doesn't make you less abusive.
Therefore we have chosen to relegate such selfish abusers from our inboxes and the inboxes of our users.