KBA-01900

Configuring Backscatter Protection options in SecurityGateway

This article explains how to configure SecurityGateway to use Backscatter Protection, which protects users from unwanted email 'backscatter': error messages sent from remote servers due to email sent by spammers or viruses with a forged return-path address of local users on your domain(s). Backscatter Protection adds an encrypted key to the start of the sending address in the Return-Path header, and non-delivery error messages that do not have this key in the address will be rejected.

From the Dashboard, after logging in:

  1. Click on Security in the lower-left corner
  2. Locate the Anti-Spam section 
  3. Click on Backscatter Protection

You may then configure the following options:

  • Enable Backscatter Protection

    SecurityGateway will send out all outgoing messages with the generated encryption-key included in the return-path address, and verify returned messages for the key to verify they were sent originally from the server. This option is disabled by default.

  • Reject messages that fail Backscatter Protection verification

    When enabled, this will stop SecurityGateway from accepting any returned-mail error messages sent to it from remote servers if they do not have the current encrypted-key provided in the return-path of valid messages. Note that SecurityGateway keeps track of these messages, even if they are not accepted. This is enabled by default.

  • Create new Backscatter Protection encryption key every xx days

    SecurityGateway will create a new encryption key every number of specified days, so that spammers will not be able to add this to the return-path of the messages that they send out. By default, this is set to 30 days, and is enabled.

  • Retain previous Backscatter Protection encryption key for xx days

    If a new Backscatter Protection key is created, either manually or automatically by SecurityGateway itself, the server will still honor messages with the old key for this many days. By default, this is set to 7 days, and is enabled.

You may generate a new Backscatter Protection key at any time by clicking the link in the settings. Do not do this too often, however, as it can cause legitimate returned messages to be refused if they have an outdated key.

Additional Comments

Any settings made affect all domains on the server. There is no option to setup Backscatter Protection for specific domains.