[beached_whale]

Another thing, set your mail readers to never automatically download images. This prevents the senders from knowing if/when/where from/and how often you read their message. There's always a button to download the linked images but its suprising how often it isn't needed. I do wish more mail clients had allow and deny lists for this function.

[Bender]

And also disable MDN's [1] in stand-alone email clients and discard them in MTA's if your user-base is cool with it.

    # grep MDN /etc/postfix/header_checks  change WARN* to discard to drop them.
    /^Subject: MDN: /    WARN MDN_Seen_1000
    /^Subject: Read-Receipt-To: /   WARN MDN_Seen_1001
    /^Subject: Disposition-Notification-To: / WARN MDN_Seen_1002
    /^Message-ID: \<receipt/   WARN MDN_Seen_1003
    /^Subject: Read: /    WARN MDN_Seen_1004

using WARN as testing example, change to DISCARD to drop them

[1] - https://en.wikipedia.org/wiki/Return_receipt

[1718627440]

Why though? Sometimes it is useful to know whether the mail got delivered, i.e. for handing in assignments. Also the read notification is only sent on recipient wish.

[beached_whale]

you cannot depend on it and trackers/scammers/... use it as a way to see if your address is actually alive or not.

[Bender]

DSN's Delivery Status Notifications are absolutely useful otherwise they never would have been created. Read-replies and out of office auto-replies that reply to non corporate primary domains are used to validate email addresses for spammers. Even DSN's can be abused this way. Older versions of Exchange would not limit out-of-office replies to the corporate domains.

One can drop read-replies and even out-of-office auto-replies without dropping specific DSN's. It is up to each organization how they wish to handle these. Some financial institutions will go full BOFH Bastard Operator from Hell, like me and some will cherry pick what goes through such as limiting responses to employees. Some will let everything through to justify the purchase of their anti-spam, anti-malware third party service. I was brought into existence in the 2150th level of hell.

So that is the cool thing about such rules is that one can cherry pick whichever meets the needs and requirements of their organization and this is just the beginning of what one can do. The first step in this process is to enable logging of Subjects, Attachment Names / Sizes, FCrDNS and others to syslog then start building reports to see what is leaking out of ones organization and what nonsense is flooding ones organization. Some DLP's Data Loss Prevention appliances can do some of this too but they can be pricey and may leak data to yet another third party. As a proper BOFH I keep logs in-house. Logging to a third party can get extra painful with newer privacy laws in some countries.

I always front-end exchange servers with multiple Postfix servers with large queues so that work can be done without losing things, extra logging can be enabled and extra anti-spam capabilities can be enabled or added.

[1718627440]

Aren't auto-replies set up by your users voluntarily? Would really annoy me if the server admin is working against his users.

A spammer still knows whether an address exist, because otherwise the mail would bounce. Unless you also block those? Would that even be an RFC-conformant server? So if I send a mail to your server and have I typo in the address, I wouldn't even know? That sucks, even more so, since a lot of communication is nowadays forced into email and it is silently assumed that every message has arrived by laymans.

Also do you think a spammer cares if your address actually exists? I would expect them to send millions of messages regardless. Curating the addresses would mean that they need to actually spend resources. Given the already low conversion rate, non-existing addresses are just noise. Unless you think about targeted phishing? In this case they probably know your address already.

[Bender]

Would really annoy me if the server admin is working against his users.

I did mention in the top post, "if your user-base is cool with it." Not everyone is and that's why I leave it up to the majority. In places that had mismanaged email for decades it can be a welcome change. In one company I brought the spam down from about 50K+ spam messages per hour down to a dozen per day spread across the entire company. It was not without some pain especially for the executives that had buddies spawning third party companies out of their garages but I told them to suck it up. The users were overjoyed to finally be able to use email again since they depended on it to do their daily job.

Also do you think a spammer cares if your address actually exists?

They do and don't. The cost to them is nothing in terms of resources since they are using infected computers to do most of the work but if they have too many dead addresses it is easier for junior admins and cheap anti-spam software to spot them which can mean most of their spam ends up unseen. Proofpoint is just one example of software that can spot this and instantly start sending all their emails to quarantine. For existing employees that had their email address leaked by out-of-office messages and other notifications they had to rely on my anti-spam measures and third parties in companies that permitted this. New employees benefited more from these measures.

Some of the RFC's are conditionally ignored by the big providers and it annoys me just as much as I am sure it annoys you because there are timeouts they artificially shorten well below the RFC "must" values vs, "should". The rate limits on the big providers are also obscenely low. This is mostly the big "free" providers which are anything but free. Yes targeted phishing is its own massive topic. I was the number two recipient of targeted phishing at one company and I did not see any of it thanks to proofpoint but they generated some nifty reports. I'm glad they took care of it because one of my hobbies is tracking down shady people IRL and that quickly turns into a time sink. Now that I am retired I can spend unlimited time finding the shifty individuals.

[dave_walko]

Any way to add something like this to fastmail sieve system? thanks

[beached_whale]

ooh good point, I ensure read receipts are disabled too. What a bad feature these days.

[mike-cardwell]

And use https://www.emailprivacytester.com to test that your email client is configured correctly

[xyst]

What’s interesting to see here is Apple’s "Protect Mail Activity" option working as advertised.

Loading images through their servers and throwing off the tracking software.

[beached_whale]

It still says you loaded it though.

[kalleboo]

What Apple does is load all images in all emails on their server, instantly when they arrive, before you open the email or not. So the sender can't know if you saw the email and track email open rates.

I think Gmail does the same now too, I tested that site with my Google Workspace address, it got hard spam filtered (never even reached the spam folder) but it still saw 3 image loads from a google server.

[lovetox]

Also does not work with fastmail.com adresses

[mike-cardwell]

Was a local error. Fixed now

[DavideNL]

> fastmail.com adresses

Curious, what was the result for fastmail.com addresses ?

[beached_whale]

ERR connection refused like error. I guess gmail doesn't like them

[mike-cardwell]

Sorry about that. Try again now