Home / Blogs

How Spam Has Damaged Mail Forwarding - And Ways to Get Around It

John Levine

Courtesy forwards have been a standard feature of e-mail systems about as long as there have been e-mail systems. A user moves or changes jobs or something, and rather than just closing the account, the mail system forwards all the mail to the user's new address. Or a user with multiple addresses forwards them all to one place to be able to read all the mail together. Since forwarding is very cheap, it's quite common for forwards to persist for many years.

Unfortunately, forwarding is yet another thing that spam has screwed up. If you just forward all the mail that arrives at a typical address, most of what you'll be forwarding is spam. From the point of view of the system you're forwarding to, you're the one sending the spam, and they're likely to block you.

Fortunately, there are some ways to mitigate the damage.

  • Configure separate outbound IPs, use one for forwarded mail, one for locally generated stuff. That way, if the forwarding goes wonky, only forwarded mail gets blocked. All of your outbound IPs should have reasonable and matching A and PTR records in the DNS. (This last bit applies whether you're forwarding or not.)
  • Use all the usual conservative DNSBLs such as Spamhaus and Spamcop to hard block mail. Their error rate is low enough that you don't have to worry about it.
  • Run the mail through Spamassassin or something similar. Some ISPs allow you to put an X-Spam-Flag: Yes header on the mail and send it along to be dropped in the user's spam folder. Most don't, in which case you should throw it away or put it in a local mail account they can check occasionally.
  • Point out to your forwarding users that it is cheap and easy to configure modern mail programs to check multiple accounts. Rather than forwarding the mail somewhere else, deliver it to a local mailbox and have them configure their mail program to pick it up along with mail from other accounts. Most webmail systems now have a way to import mail via POP (the same way desktop mail programs pick it up). Even if there's a lot of spam mixed in, it won't affect your system's outgoing reputation since you didn't send it to their incoming mail server.
  • If you control your IP ranges, sign up for feedback loops at the ISPs you forward to, so you can see what people are complaining about.

If you do these, you should get mail through to most places. The local pickup trick will get mail through to anywhere.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Email, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


Traditional courtesy forwards are likely also illegal Alessandro Vesely  –  Mar 06, 2012 1:02 PM PDT

Some countries, e.g. Australia, Canada, Europe, have rules to protect the rights of email address owners.  A dot-forward file with an external email address written in it, should be accessible by the owner of that address.

As quibblish as this may sound, that principle has the potential to kill all the murkily legal spam.  By requiring that each stored email address be notified and accessible to its owner --except personal address books-- we can bring fairness to the email business.  In fact, mailing lists, newsletters, and any case where the delivery addresses are not set interactively, are a case of forwarding that could be fixed.  See fixforwarding.org.

Huh? John Levine  –  Mar 06, 2012 1:05 PM PDT

All the courtesy forwards I know are set up at the request of the user of the address. This comment makes no sense.

I don't even understand this comment. Phil Howard  –  Mar 06, 2012 2:40 PM PDT

I don't even understand this comment.  Either an email provider provides a forwarding service or they don't.  I can't see how government regulations can require a .forward file to even be implemented, much less give email users shell access to change it.  If they offer it, they can likely provide it in a profile panel.  If I offered such a service I would limit forwarding to only domains I'm hosting.

If you have email provided to you, you should be able to close it if you wish (or they do so for non-payment if it is a paid service).  Or just leave the account open as you tell everyone to use your new email, and read from both as in the 4th suggestion.

Sorry I wasn't clear Alessandro Vesely  –  Mar 07, 2012 10:46 AM PDT

IANAL, but I don't think laws differentiate dot-forwards from mailing lists.  The same obligations to prove opt-in and give opt-out information hold.  Indeed, that's what full blown vanity email address providers do.

The fourth of John's suggestions above is more internationally valid than the others.

To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

New Feature in PowerMTA v4.5: IP Based Rate Limiting

Case Study: Emergency Response Systems Rely on Timely Messaging Through PowerMTA

Port25 Announces Next Major Release of Its Email Delivery Solution, PowerMTA

Case Study: How PowerMTA Transparent Deliverability Metrics Paves Way for Email Service Provider

Case Study: MailChimp Achieves Efficient Execution and Reliability with PowerMTA

Case Study: Emma Swaps Its SMTP Infrastructure for PowerMTA to Handle Growing Mail Volume

Case Study: Email Service Provider GetResponse Scales with PowerMTA

Case Study: How PowerMTA Helped Forfront With Its Growing Message Volume

Hybrid Cloud Proves Clouds Are Worthy of Email Infrastructure

Non-English "IDN Email" Addresses Are Finally Working!

A Look Inside Dyn's 1.2 Billion Monthly Email Delivery Statistics

Dyn to Host Email Analytics Webinar With Ongage

Dyn Adds Claudia Santoro, Dave Connors and Andrew Sullivan to Technical Team

Dyn Receives $38M Investment from North Bridge

Nominum Launches Comprehensive Suite of DNS-Based Security Solutions for Russian Service Providers

Nominum Sets New Record for Network Speed and Efficiency

DNS on Defense, DNS on Offense

Managing Outbound Spam: A New DNS-based Approach For Stopping Abuse (Webinar)

MarkMonitor Fraud Intelligence Report, Q4 2011

MarkMonitor Fraud Intelligence Report Released for Q2 2011

Sponsored Topics