Some customers have expressed concern with the automatic quarantining of outbound auto-response messages with null Mail-From addresses. We wanted to address this as quickly as possible, while still keeping in place an effective posture to guard against the blacklisting that can result from allowing these messages through our service.
As you may have seen in our previous post on the subject, we are disinclined to continue allowing messages with null Mail-From addresses outbound through our service by default. This is due to the fact that we have recently seen markedly increased sensitivity to backscatter from larger blacklisting services like SORBS, and almost all of the outbound messages we see with a null Mail From address (upwards of 90% of such messages) are responses to spam messages. These messages significantly increase the risks of being blacklisted – even though they may be standard auto replies without any nefarious content – as they are frequently directed to spoofed addresses.
To continue to try to prevent backscatter while also addressing the need for legitimate auto-replies, we have taken two additional steps.
First, any messages with null Mail-From addresses, will be delivered outbound from our service via different IP addresses from normal outbound traffic. These IP addresses are essentially a higher risk pool (and are more likely to become and remain blacklisted), but they will only be used for high risk outbound traffic — namely, auto-replies and releases from outbound quarantine.
Second, our support team, upon request, can change the default handling of outbound messages with null Mail-From addresses, such that those messages can be allowed through (via the higher risk IP address pool) by default rather than quarantined.
This approach allows us to address the concerns of customers or partners where the auto replies are both necessary and use a null Mail From address, while still allowing us to minimize the possibility of blacklisting legitimate outbound traffic due to DSN messages.
We strongly recommend that out of office replies or other auto-response messages should only be enabled for mailboxes that have filtering in place, and only when necessary. The avoidance of auto-replies whenever possible will reduce the reputational risk to our IP addresses, customer IP addresses, and customer domain names.
Thanks for your attention.