Home » Other »Kill The Catch-All

Don't Use Catch-All Mailboxes

Let's say you have a lovely domain, called example.org. You have some very stupid clients, and you don't really trust them to remember email addresses, so you decide to create a catch-all mailbox. So, if somebody emails dave@example.org - it'll go to Dave's mailbox. If somebody emails bob@example.org - it goes to Bob. Easy enough so far. But what about Mary-Anne? Will people email mary-anne or mary.anne or marianne or marion? You're not sure. So you create a catch-all. If it doesn't match a known mailbox, it ends up in the catch-all. And you can get some Office Junior, or a YTS bod to trawl through it once or twice a day.

So far, so good. You've picked up a couple of stray emails that were sent to slaes@.. and marianne@...
But then, one day, things take a turn for the worst.

Some spammer has picked example.org to spoof emails from. Not only are you getting replies from angry people demanding that you stop spamming them - you're getting 1,000 bounce messages per hour.

Your poor mail server is struggling under the load and your real emails are being delayed for hours while it sorts out this sorry mess. Your ISP might even decide to put some extra limits on your bandwidth, causing all your Internet traffic to grind to a halt until you can convince them otherwise.
You may even get blacklisted by some ISPs for spamming - and that's apart from being unable to email certain people - there's the damage to your company's reputation.

Finally, the deluge of emails comes to a stop. For now. And you breathe a sigh of relief. In a day or so, your email system will be back to normal.
But you notice you're getting a huge amount of spam. Why? Well, as it happens - the spammers are just guessing what email addresses might live @example.org. They have no idea if there's a Bob, Mary, Kate or Algernon at your company. They're just sticking any old thing in before the @ sign.
You don't recall setting up askdkusl@example.org - but it's getting delivered to you. Your mail server has to store, process and deliver that email. And the 49,999 others just like it. Once again your mail system grinds to a halt. You've got some anti-spam software on your mail server, but your mail server has to accept and examine each email before it can be decided if it might be spam or not. And what do you do with spam? Do you delete it instantly - or do you just flag it as spam and deliver it anyway - or do you keep it for 30 days?

Finally, that nightmare ends, too. You go to the pub for badly-needed pint of your favourite ale. But then the pager goes. It seems somebody doesn't like Example Enterprises Ltd. You're being Joe-Jobbed. Somebody is spoofing email from your domain to addresses they know to be invalid. And your poor mail server has to deal with the thousands of bounce messages (or NDRs as we call them) that are generated.

You decide to investigate third party solutions such as MessageLabs. But they won't cover your catch-all. They charge per email address. And since a catchall means you have an unlimited number of email addresses, they want an unlimited amount of cash.

So what can you do?
Well... dont' use catch-all addresses. Just don't.