[Bender]

DSN's Delivery Status Notifications are absolutely useful otherwise they never would have been created. Read-replies and out of office auto-replies that reply to non corporate primary domains are used to validate email addresses for spammers. Even DSN's can be abused this way. Older versions of Exchange would not limit out-of-office replies to the corporate domains.

One can drop read-replies and even out-of-office auto-replies without dropping specific DSN's. It is up to each organization how they wish to handle these. Some financial institutions will go full BOFH Bastard Operator from Hell, like me and some will cherry pick what goes through such as limiting responses to employees. Some will let everything through to justify the purchase of their anti-spam, anti-malware third party service. I was brought into existence in the 2150th level of hell.

So that is the cool thing about such rules is that one can cherry pick whichever meets the needs and requirements of their organization and this is just the beginning of what one can do. The first step in this process is to enable logging of Subjects, Attachment Names / Sizes, FCrDNS and others to syslog then start building reports to see what is leaking out of ones organization and what nonsense is flooding ones organization. Some DLP's Data Loss Prevention appliances can do some of this too but they can be pricey and may leak data to yet another third party. As a proper BOFH I keep logs in-house. Logging to a third party can get extra painful with newer privacy laws in some countries.

I always front-end exchange servers with multiple Postfix servers with large queues so that work can be done without losing things, extra logging can be enabled and extra anti-spam capabilities can be enabled or added.

[1718627440]

Aren't auto-replies set up by your users voluntarily? Would really annoy me if the server admin is working against his users.

A spammer still knows whether an address exist, because otherwise the mail would bounce. Unless you also block those? Would that even be an RFC-conformant server? So if I send a mail to your server and have I typo in the address, I wouldn't even know? That sucks, even more so, since a lot of communication is nowadays forced into email and it is silently assumed that every message has arrived by laymans.

Also do you think a spammer cares if your address actually exists? I would expect them to send millions of messages regardless. Curating the addresses would mean that they need to actually spend resources. Given the already low conversion rate, non-existing addresses are just noise. Unless you think about targeted phishing? In this case they probably know your address already.

[Bender]

Would really annoy me if the server admin is working against his users.

I did mention in the top post, "if your user-base is cool with it." Not everyone is and that's why I leave it up to the majority. In places that had mismanaged email for decades it can be a welcome change. In one company I brought the spam down from about 50K+ spam messages per hour down to a dozen per day spread across the entire company. It was not without some pain especially for the executives that had buddies spawning third party companies out of their garages but I told them to suck it up. The users were overjoyed to finally be able to use email again since they depended on it to do their daily job.

Also do you think a spammer cares if your address actually exists?

They do and don't. The cost to them is nothing in terms of resources since they are using infected computers to do most of the work but if they have too many dead addresses it is easier for junior admins and cheap anti-spam software to spot them which can mean most of their spam ends up unseen. Proofpoint is just one example of software that can spot this and instantly start sending all their emails to quarantine. For existing employees that had their email address leaked by out-of-office messages and other notifications they had to rely on my anti-spam measures and third parties in companies that permitted this. New employees benefited more from these measures.

Some of the RFC's are conditionally ignored by the big providers and it annoys me just as much as I am sure it annoys you because there are timeouts they artificially shorten well below the RFC "must" values vs, "should". The rate limits on the big providers are also obscenely low. This is mostly the big "free" providers which are anything but free. Yes targeted phishing is its own massive topic. I was the number two recipient of targeted phishing at one company and I did not see any of it thanks to proofpoint but they generated some nifty reports. I'm glad they took care of it because one of my hobbies is tracking down shady people IRL and that quickly turns into a time sink. Now that I am retired I can spend unlimited time finding the shifty individuals.