Slashdot Mirror

← Back to Stories (view on slashdot.org)

DynDNS Drops Non-Delivery Reports

Posted by kdawson on from the one-less-spam-vector dept.

jetkins writes "In an email to subscribers, DynDNS announced that they will no longer deliver locally generated non-delivery reports (NDRs) from any MailHop systems. MailHop is a multi-faceted service offering in- and outbound relay services, spam and virus filtering, and store-and-forward buffering. DynDNS makes it clear that they are aware that this goes against RFC 2821 Section 3.7, but explains that in their opinion the increase in spam volume, and the use of NDRs as a spam vector, means that the value of NDRs is now far outweighed by their potential for harm. (DynDNS also points to the far greater reliability of email systems now than when the RFC was approved.) The company notes that other ISPs have quietly dropped RFC 2821-compliant NDRs. Will their public move start a flood (mutiny) of ISPs following suit? Should they have made efforts to have the standard changed instead of defying it?"

195 comments

  1. Finally, a service provider with a clue... by Eggplant62 · · Score: 4, Informative

    Well, seeing as how a friend and I have a client who's being bombarded by NDRs as a result of a joe-job on the client's domain name, it's good to know that DynDNS is copping a clue. Too bad you can't get the rest of the ISP gang on board that easily and that quickly.

    1. Re:Finally, a service provider with a clue... by jetkins · · Score: 5, Informative
      A large proportion of Joe Jobs are made possible by lame endpoint SMTP servers which accept incoming mail, close the connection, then check to see if the recipient is valid, and generate an NDR to the address specified in the headers, which are too easily forged.

      A properly-configured endpoint server should check addressee validity during the SMTP exchange, and reject the transfer before it even gets into the system, so the spammer's attempt goes nowhere and "Joe" doesn't get an unwarranted NDR.

      Of course that doesn't help proxy providers like DynDNS, unless they have some way of authenticating their clients' valid addresses in real time via a direct connection or regular updates.

    2. Re:Finally, a service provider with a clue... by r3g3x · · Score: 3, Informative

      Well, seeing as how a friend and I have a client who's being bombarded by NDRs as a result of a joe-job on the client's domain name, it's good to know that DynDNS is copping a clue

      Ignoring a problem isn't the same as fixing it... NDRs serve a useful purpose assuming the original message was actually useful. The problem isn't sending out NDRs. The problem is sending an NDR in response to spam!

      I've had to deal with the whole joe-job+NDR+DDOS scenario on several occasions... I have found that 65~80% of this garbage has already been marked as spam by the bouncer! Why in the would would you bounce a message that you _already_ know to be invalid?!?!? All this does is amplify the volume of crap being flung around...

      A sanely configured email server should not bounce on spam. Spam should be left to rot in the bottomless pit of /dev/null.

      Remember, Its not a turd fight if theres only one monkey :-)

    3. Re:Finally, a service provider with a clue... by Eggplant62 · · Score: 1

      Well, let's see. The friend consults me for help on mail problems. He says that the customer won't accept changes in his system to something more reliable and easier to configure, and since he's paying the bills and won't foot for the changes necessary, it sounds like we're living in la-la land already, so an easy solution isn't going to be easy.

      I'm certain you've seen the syndrome: Speak to the business owner and his management team about the problem in easy-to-understand terms, and their eyes glaze over like you're speaking Greek about Pythagorean theory and then decide that if it's not Microsoft Brand software, it's not gonna go into their systems. Copy there, Ace?

    4. Re:Finally, a service provider with a clue... by bvimo · · Score: 2, Insightful

      Isn't it time we changed something. Amended or created a new RFC, or design mail servers that don't talk to poorly implemented servers.

      /. commentators have spouted enough hot air about Joe Jobs, Non Delivery Receipts etc, we should stand up and do something.

      --
      In either case, here at Microsoft, we feel standards are important. And we have fun, too. Doug Mahugh, Microsoft
    5. Re:Finally, a service provider with a clue... by morcego · · Score: 2, Insightful

      Isn't it time we changed something. Amended or created a new RFC, or design mail servers that don't talk to poorly implemented servers.


      "If you think you can create a foolproof system, you are one of the fools" - No idea who I'm misquoting.
      --
      morcego
    6. Re:Finally, a service provider with a clue... by Anonymous Coward · · Score: 0

      Do you own an domains or maintain one that has a internet facing mail server?
      Set up your mail server that way.
      It will take less then a week for someone to slam everything from aaaaaaaaa@yourdomain to 999999999@yourdomain and have a list of all active addresses. This is/was very common, that is way a lot of people do not respond with an invalid user directly or immediately. There are others ways to combat the random flood, some better then others.

    7. Re:Finally, a service provider with a clue... by insertwackynamehere · · Score: 1

      So whats your suggestion, we just lay down and die without even trying?

      Just kidding :) I understand your sentiment. However, even if a new RFC was decided upon tomorrow, it would probably take 5 years to get through committee so by then it would be a brand new 2007 based RFC for 2012 :P

    8. Re:Finally, a service provider with a clue... by totally+bogus+dude · · Score: 4, Interesting

      Bunk. Even if it was true, it's still no excuse for ignoring your responsibilities.

      I run the mail servers for several domains, and brute-force attacks just don't happen. It's fairly obvious why, if you think about it. Dictionary attacks against common names are possible, but I've not seen evidence to suggest that's happening.

      Firstly, I want to get back to "responsibilities". By this I mean that anyone who's connected to the internet has a basic responsibility to make at least a good-faith attempt to prevent their system being used against other people. This goes doubly for people who intentionally run publically accessible servers (e.g. mail servers and web servers). You should treat any mail system which indiscriminately generates NDRs the same way you'd treat an open relay, because that's effectively what it is. You are deliberately making a server available which will accept mail from anyone on the internet, and send it to anyone else on the internet*. This is reckless irresponsibility.

      * - most NDR messages include at least part of the original message's text; at the very least, the subject line. So a system which generates backscatter does in fact carry some payload chosen by an anonymous third party.

      Even if brute-force attacks on your mail server's address list do occur, there are ways to mitigate the effects of it that don't turn your system into a spam engine.

      Having a look through the last 48 days logs on one of my servers, there's 2,308 addresses which were rejected because they're non-existent. The vast majority are either formerly valid addresses (i.e. of people who used to work here), or slightly mangled versions of valid addresses (presumably badly parsed). Particularly common are things starting with "3D" (presumably parsed from quoted-printable data which contains =3D) or people's surnames (smith@example.com) -- our email addresses are in the format firstname.lastname@example.com, and it would appear that some harvesters consider periods before the @ to be invalid.

      The second part highlights why brute-force is impractical: the namespace before the @ is absolutely massive, and only a tiny fraction will be valid addresses. If you have no idea what format email addresses in the target domain take, you have no choice but to try everything, and that will take far longer than a week. Add to this the proliferation of very small domains with only a handful of email addresses (i.e. personal domains, promotional domains). Even with a vast botnet, trying to harvest addresses by brute force against a mail server is so horribly inefficient as to not be worthwhile. There's much easier ways to harvest addresses.

      Then there's technical issues with that kind of harvesting. First, any reasonable mail server will start responding slower to a client which is making repeated errors, before finally shutting them off. This means you have to make lots of connections. Second, brute force or dictionary attacks stick out like a sore thumb versus normal mail traffic, making it trivial to block any IP which is trying to harvest addresses in this manner. The only possible way to do these sorts of attacks would be to use a vast distributed botnet, and even then it's not going to work. It would be easy (and fun) to build a system that watches for such attacks and blacklists any IP involved. Anyone harvesting in this way would then be betraying the IPs of most of their bots during the harvest! Then there's lots of clever things one can do: once you have a known harvester, start okaying its invalid addresses and add them to your list of spamtraps. Not only is the spammer not collecting any valid addresses, but you're poisoning their address list!

      Brute-force attacks are too easy to detect, and too easy to use against the attacker. There's much, much easier and more efficient ways to harvest email addresses. Possibly it could be used if you're targeting a specific company or domain and can do some research into their configuration, but even then there

    9. Re:Finally, a service provider with a clue... by Warbothong · · Score: 3, Interesting

      Just as an issue to note, I sent somebody a relatively important email recently from my Gmail account (accessed using Evolution via POP3 and SMTP). Around a week later I was at someone else's house and couldn't be bothered set my laptop up with their wireless system (their network is encumbered by encryption algorithms) so I used Google's webmail system to check my email. Sitting in the 'Spam' folder was a failed delivery notice from the important email I'd sent earlier (turns out the address I had used hadn't been in use for a while), it had been marked as spam only because it was a failed delivery message. Luckily the issue had already been resolved elsewhere, but with people relying on email for important communications something like this is unacceptable.

    10. Re:Finally, a service provider with a clue... by raju1kabir · · Score: 1

      I run the mail servers for several domains, and brute-force attacks just don't happen.

      Ah, well, then that's settled then.

      I am looking at the logs in real-time (tail -f) on a mail server, and I am watching the brute force spam runs fly by - many simultaneous ones from different sources interleaved, in fact, but the patterns clearly visible. What explains this, if they "just don't happen"? Alternate universe? I wonder if there is some way I could pass through Slashdot and emerge in your pleasant reality for a vacation.

      The only possible way to do these sorts of attacks would be to use a vast distributed botnet, and even then it's not going to work. It would be easy (and fun) to build a system that watches for such attacks and blacklists any IP involved.

      Over any reasonable period of time, your list of IPs will converge with the union of all dynamic IP addresses assigned to consumers.

      The most compelling evidence I have that this sort of thing doesn't help is my "catch-all" domain. I have a subdomain I use when sites request an email address; and every single address at it is valid (except for ones I specifically block). When I first set this up I felt sure I was going to be flooded with spam from brute force or dictionary attacks at this domain. That was a few years ago. I still accept anything@sub.example.com because to date, because I have yet to receive a single message which wasn't sent to a published address.

      That's nice. Last time I checked, my personal domain (registered about 10 years ago) receives over 20,000 delivery attempts to invalid addresses daily.

      --
      "Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
    11. Re:Finally, a service provider with a clue... by totally+bogus+dude · · Score: 1

      Okay, fair enough -- brute-force attacks do happen. I wonder what criteria the spammers use to decide which systems to try it on? All but one of the servers I administer are in Australia, so maybe it's a regional thing. I have one in the US which is reasonably well connected, but that doesn't receive brute-force attacks either, and the domains it hosts are .org and .net, not .au ones. Is your personal domain one which someone might think hosts a lot of email accounts? I wonder if real human beings actually scan lists of domain names and pick which ones they want to try brute-forcing?

      The servers I'm looking at at the moment are pretty low volume, and reject about 5-10,000 messages a day (over the last few days). Brute-force attacks on these would be pretty obvious, but looking at the 687 addresses which were tried only once during the last 48 days, there's a vanishingly small number that don't refer to a name I recognise (and I've only been with the organisation for 2 years).

      Over any reasonable period of time, your list of IPs will converge with the union of all dynamic IP addresses assigned to consumers.

      True, but if you automatically remove addresses after a week or so it wouldn't be so bad. Plus, there's a lot of people out there who think this would be a benefit of such a system, not a drawback.

      I still think brute-force attacks are a waste of time, and only stupid spammers would try it.

      Another fairly obvious reason why accepting mail and then sending NDRs for invalid addresses is a horrible idea just occurred to me. Your personal domain receives 20,000 delivery attempts to invalid addresses daily. I'll guess that virtually all of these are from spam using made-up from addresses, and a good proportion of those from addresses will be actual email addresses belonging to innocent people.

      If your server generated NDRs for these invalid addresses rather than just rejecting them, you'd be sending thousands of NDRs to random people every single day. Which is to say, people who know their servers are subject to brute-force attacks should be even more careful to limit NDR generation than people who's mail servers aren't, rather than use it as an excuse not to.

      So, while I fully retract my ignorant assertion that brute-force attacks aren't tried anymore, I still maintain that sending nonsense backscatter to thousands of people who never even heard of your domain before is a really crappy way to "protect" your address lists. To me, "I'm too lazy to configure my server properly" is a far, far better excuse than "but if I do that the spammers will harvest all our email addresses!"

    12. Re:Finally, a service provider with a clue... by raju1kabir · · Score: 1

      I still think brute-force attacks are a waste of time, and only stupid spammers would try it.

      The economics of spamming have changed since back when they had to hold onto their "bulletproof servers" and pay for bandwidth.

      These days the spam comes from botnets which effectively give them infinite resources. If it only takes an hour to alter the spam software to do a brute force mailing in addition to running through address lists, then their investment per attempt is basically zero. So even if it's incredibly ineffective, it's still going to get a bite now and then, so it's still worth their while.

      Is your personal domain one which someone might think hosts a lot of email accounts?

      I wouldn't think so. It's a fairly strange-looking one in one of those obscure TLDs from a country with almost no actual internet users.

      If your server generated NDRs for these invalid addresses rather than just rejecting them, you'd be sending thousands of NDRs to random people every single day. Which is to say, people who know their servers are subject to brute-force attacks should be even more careful to limit NDR generation than people who's mail servers aren't, rather than use it as an excuse not to.

      Agreed. I drop those on the floor. Years ago I noticed that 99% of the lingering items in my outbound queue were undeliverable failure reports which were clearly never going to get anywhere, and never going to be of use to anyone even if they did.

      I really wish there were a way I could reject the invalid-address inbound messages as soon as they send RCPT TO, but with all the complicated arrangements for various clients on these servers it's pretty much impossible.

      --
      "Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
    13. Re:Finally, a service provider with a clue... by morcego · · Score: 2, Insightful

      My suggestion is not to try and create a "perfect" RFC, but to create one flexible enough where you can fix stuff as it appears. Specially something that is backward compatible with what we have today.

      We already moved from SMTP to ESMTP. Maybe we can go a step further, with, I don't know, ASMTP or whatever you want to call it. Then impose extra controls on messages that arrive via SMTP or ESMTP.

      In any case, there is absolutely nothing we can do about zombies, unless you want to implement some kind of "are you human" test for every single e-mail that is sent. And how could we do it between relays ?

      --
      morcego
    14. Re:Finally, a service provider with a clue... by DraconPern · · Score: 0, Troll

      Since a large percentage of email servers are linux, are you implying that linux email servers are bad to use?

    15. Re:Finally, a service provider with a clue... by Phroggy · · Score: 1

      Then there's technical issues with that kind of harvesting. First, any reasonable mail server will start responding slower to a client which is making repeated errors, before finally shutting them off. Are you saying that most reasonable MTA software currently does this by default? Or are you saying any reasonable sysadmin has probably hacked something like this together in their spare time?

      I run a pretty basic Sendmail configuration, plus some crazy custom spam-fighting stuff controlled through MIMEDefang. I'm not aware of anything that would cause it to keep track of how many errors have recently come from a particular IP. How did you set it up?
      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
    16. Re:Finally, a service provider with a clue... by totally+bogus+dude · · Score: 1

      I use postfix, in which it's default behaviour. Although now that you mention it, the default settings are a little more lax than I'd prefer, so I'm going to tweak them a bit. I'm not sure what version this appeared in, but it's been around for an awfully long time. I think even the version in woody had this feature.

      That said, it only tracks errors per-session; every new connection the client makes results in a reset counter. So, it could be improved. But making a new connection slows things down on its own.

      http://www.postfix.org/rate.html#slowdown

    17. Re:Finally, a service provider with a clue... by kasperd · · Score: 1

      Why in the would would you bounce a message that you _already_ know to be invalid?
      If you knew, you wouldn't. But you don't know. The only thing you know is, that you have a message with a valid recipient, which you are not going to deliver. This is the kind of thing that causes the mail system to be less reliable today. If you silently drop it, you are going to make the system even less reliable. It is bullshit when they say the mail system is more reliable today, the wide presence of spam filters make it less reliable.

      Generating a bounce when you do not deliver an email is not a problem, as long as you do it right. Yes there will be generated some spurious bounces, but those are almost trivial to identify and reject. A bounce can be identified by the empty envelope sender. And once you have identified the mail as a bounce, you can verify validity by looking for the message-id of something you have sent. So if you are able to keep track of the message-id of everything you send yourself, then you don't ever have to be bothered with spurious bounces.

      The only problem is those systems that violate the RFC by putting a sender address on their bounces. Whenever I see such a mail I wish the server would fall over from a bounce loop.

      Silently dropping mail to valid recipients is causing more harm than a correct bounce - which means empty envelope sender and include full headers of the message you are bouncing. But of course it is even better if you just refuse to receive the email and let somebody else have the hassle of generating the bounce. The earlier you can identify that a message is not going to be delivered, the more reliable you can make the system.
      --

      Do you care about the security of your wireless mouse?
    18. Re:Finally, a service provider with a clue... by nahdude812 · · Score: 1

      Actually I believe many companies purposely accept the message then send an NDR if the recipient is invalid in order to protect themselves against brute force account guessing from zombie hordes. If you immediately confirm the validity of an email address, then you can try a lot in rapid succession. If you send an NDR then you can't unless you provide a valid return address (does not mesh well with zombie hordes).

      The whole email system is horribly broken, fixes to specific problems create new problems or break existing and relied-upon functionality.

      --
      Slay a dragon... over lunch!
    19. Re:Finally, a service provider with a clue... by howardjeremy · · Score: 1

      A properly-configured endpoint server should check addressee validity during the SMTP exchange, and reject the transfer before it even gets into the system, so the spammer's attempt goes nowhere and "Joe" doesn't get an unwarranted NDR.
      ...Except that this doesn't work if there is more than one recipient specified, and some of those recipients are valid users. SMTP has no way to "selectively bounce" - you either reject for all recipients, or you accept for all recipients and then send NDRs for the subset which are undeliverable.
    20. Re:Finally, a service provider with a clue... by Snaller · · Score: 1

      So giving in to terrorists is a good idea. Great view.

      --
      If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
  2. What I'd like to see... by SomeJoel · · Score: 2, Interesting

    In addition to not providing NDRs, it would be great if the ISP took the following approach: If 5 or more non-deliverable messages to different addresses within the ISP's domain are received within a period of 10 minutes, then the sender's IP address should be blocked for a period of 24 hours. That, I think, would do a small bit to slow down the spam.

    --
    <Complete your profile by adding a signature!>
    1. Re:What I'd like to see... by AuMatar · · Score: 4, Insightful

      And kill mailing lists. Not all mass mails are spam.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    2. Re:What I'd like to see... by wiredlogic · · Score: 1

      This scheme would be useless against a distributed botnet attack.

      --
      I am becoming gerund, destroyer of verbs.
    3. Re:What I'd like to see... by Chyeld · · Score: 2, Insightful

      as well as providing a fairly simple manner of performing DOS against a domain, simply spoof your way into seeming to be their mail server and slam in the garbage.

    4. Re:What I'd like to see... by Anonymous Coward · · Score: 1, Funny

      This scheme would be useless against a distributed botnet attack. It would be useless against a mechanical Richard Simmons attack, too.
    5. Re:What I'd like to see... by profplump · · Score: 1

      That's a non-trivial attack though -- it's not as though you can send mail with uni-directional traffic.

      In order to spoof a remote IP address you'd have to basically have to share a wire someplace between the mail server and your spoofing target, or exploit some secondary flaw on a router/host along that same path. It could be done, but there are easier ways to DoS, and most of those ways are effective beyond the single-host-to-single-mailhost-for-mail-service-on ly scope that is targeted with the attack you describe.

    6. Re:What I'd like to see... by quanticle · · Score: 1

      That's a non-trivial attack though -- it's not as though you can send mail with uni-directional traffic.

      You don't have to send mail with unidirectional traffic. You just have to make sure that the traffic doesn't point back to you. In other words, if you send mail from a botnet, you're still free and clear as long as you don't use too much of your botnet at once.

      --
      We all know what to do, but we don't know how to get re-elected once we have done it
    7. Re:What I'd like to see... by profplump · · Score: 1

      That doesn't create a DoS for anyone other than your botnet, which effectively *is* you if you're using the botnet to do things on your behalf. And somehow I don't think "DoS with the scope of a single mail host" is the biggest concern of someone who's box has become part of a botnet.

      I'm not suggesting you couldn't get some box other than your own desktop blocked, or that blocking by IP would be effective at stopping spam. I was just refuting the original statement that you could use IP-scoped blocking in response to mail message content as an effective DoS attack.

    8. Re:What I'd like to see... by hughperkins · · Score: 1

      > and kill mailing-lists

      I see this argument a lot. Do we even need mailing-lists any more? They were great in the days before forums. Now they just chew up bandwidth, mailstorage space, and make it harder to filter spam.

    9. Re:What I'd like to see... by adminstring · · Score: 3, Insightful

      Here's an example of how mailing lists can be useful: I'm into music and bicycles, and I get periodic emails from several online vendors of music and bike gear letting me know what specials they are having, and quite often I see something I like in these emails, so I click a link and go shopping. I opted in to these mailing lists, and they help me find deals I wouldn't otherwise be aware of.

      I wouldn't probably think to check a forum for an announcement on a free-shipping sale or a closeout on last year's tires, but if it comes in an email, it gets my attention, and I appreciate that.

      My ISP offers spam-filtering, but I have turned it off because too many of these mailing lists I like were getting caught in its trap. So I agree that mailing lists make spam filtering more difficult, but I personally see them as being worth the hassle.

      --
      My truck is like a series of tubes.
    10. Re:What I'd like to see... by AuMatar · · Score: 1

      Yes. Its a lot lower cost and lower effort to make a mailing list than a forum, and to keep up with one. I'm on a dozen mailing lists, I rarely go to any forums.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    11. Re:What I'd like to see... by Anonymous Coward · · Score: 0

      This and many other useful tactics can be implemented for free using ASSP - see http://assp.sourceforge.net/

    12. Re:What I'd like to see... by Phroggy · · Score: 1

      As an e-mail server administrator, I'm currently subscribed to the MIMEDefang and UW imapd mailing lists, as well as the Slackware security mailing list. Could these be replaced someday by a blog with an RSS feed? Sure, but that's not going to happen any time soon. In the mean time, yes, mailing lists are important.

      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
    13. Re:What I'd like to see... by spikedvodka · · Score: 1

      Do we even need mailing-lists any more? Yes. mailing lists are a push interface, forums are a pull interface.

      Mailing lists allow you to send information, rather than having information be available for someone to get. Now, I don't see mailing lists as being a problem with non-existant e-mail addresses... take mailman for example, if it tries to send a message to a non-existant e-mail address, and it gets a bounce back, (it's configurable) it stops delivery to that address
      --
      I will not give in to the terrorists. I will not become fearful.
    14. Re:What I'd like to see... by termigan · · Score: 1

      Subscription one way mailing lists aren't neccessary; there now exist better technologies for broadcasting the same content to multiple recipients who have voiced their desire to receive it. For instance, with some custom client software, RSS could be bridged to become email. A simple Blog advertising sales would allow for immediate subscription and unsubscription even. (To replace more collaborative mailing lists, a forum is probably better, but we could still use RSS on them.)

      There are some interesting implications to an RSS to Email bridge though. On the plus for the user, you could filter the blog posts like you would email because a post would would become an email message. On the downside for the user, companies might use this blog more than they're using a mailing list, but the traffic could be filtered by the bridge or by the email delivery system if there were certain things you really wanted to hear about. (Content provider applied tags seem ideal for this filtering.) On the risk side for the content providers, as opposed to content providers managing the rate emails are sent, these bridges would be waiting out there to slurp up any new content, and would in fact be constantly pinging the system to find new content under the current architecture. So, accordingly, if these bridges caught on, high subscription blogs of any sort might need to use custom RSS server code to to manage bandwidth, but that seems doable. (Better to update modern RSS services as they expand than try to change the existing email system with lots of old crusty code running around.) For a blog with many subscribers, unless you lie to some of the users accessing the RSS feed, (say there's no new content when you can't handle the load), new content would essentially get delivered to all people on the blog over a short time period. This could cause the servers' load to peak as soon as the RSS->Email bridges discovered the content was out there.

      All in all, these seem like more manageable issues than trying to allow for mass email lists as we patch up our email system to keep spammers from gaming it. Heck, authenticated RSS could possibly replace email between known contacts if the framework were set up. You'd know that a message came from your bank because you talked to your bank and they told you what the message was, and phishing would be dead. In this world for new contacts, and that might be more manageable. Maybe in this world of RSS, your email could turn into various local RSS sources and the email reader would go away and the RSS readers would get a bit more functional to allow for refiling of mail. Whatever the exact architecture, we're going to need to think outside the box that is "Email is everything" to get rid of the scourge of spam.

      --

      Today is all we really have. We should all live it well: it is our stepping stone to all of our tomorrows.

    15. Re:What I'd like to see... by termigan · · Score: 1

      To stretch your box a bit, why do mailing lists have to be Push? Isn't a blog with people following it on RSS readers as immediate as email? People desiring email could still take an RSS feed and use a special reader or reader web site that turned Blog posts to email which you would white list.

      --

      Today is all we really have. We should all live it well: it is our stepping stone to all of our tomorrows.

    16. Re:What I'd like to see... by termigan · · Score: 1

      What prevents the RSS from happening soon? Blogs are pretty common nowdays.

      --

      Today is all we really have. We should all live it well: it is our stepping stone to all of our tomorrows.

    17. Re:What I'd like to see... by Phroggy · · Score: 1

      What prevents the RSS from happening soon? Blogs are pretty common nowdays. The people who use these mailing lists don't want to use blogs. Many of them utterly abhor blogs.
      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  3. RFC-Ignorant.org by nagora · · Score: 4, Interesting
    I did this some time ago for the same reasons and the wankers at RFC-Ignorant.org put my home email server on their blacklist. The twats argued with me that NDRs are such a vital part of email that any amount of spam was a price worth paying for maybe one NDR a year.

    Stupid bastards.

    --
    "Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
    1. Re:RFC-Ignorant.org by Anonymous Coward · · Score: 3, Insightful

      What's needed is for servers to start determining immediately whether they can deliver the mail or not and respond to the sender with an appropriate error code if not, instead of sitting on it for a few hours and then creating a bounce message. This can even work over multiple hops if the sending server isn't an open relay, the destination server replies to your ISP's mailserver with "550 Cant send shit captain!", and leave it up to your ISP to decide to retry, generate a bounce to you (which it should have no problem doing, after all, everyone sending email through its server has an account at the ISP, right?), or just drop the matter in the bit bucket.

      Once that initial connection is gone though, the receiving mailserver should not assume that it has any way to talk to the sender again.

    2. Re:RFC-Ignorant.org by Jeff+DeMaagd · · Score: 2, Insightful

      I don't see the point in dogmatically upholding a rule for its own sake. If a rule doesn't always make sense, then change it. An RFC for RFC's sake doesn't do us any good unless the principles in it are still a good idea. Having said that, I think RFCs in general a bit baffling, harder to comprehend then legislation.

    3. Re:RFC-Ignorant.org by fm6 · · Score: 1

      You're an evil person! I'll bet your whois record doesn't even have your correct email and phone number!

    4. Re:RFC-Ignorant.org by flabbergasted · · Score: 3, Informative

      Why are you accepting a message for a nonexistent user in the first place? As soon as the sending SMTP connection specifies RCPT you should be able to check if it is valid and terminate the connection if it is for a nonexistent user. This can all be done before the DATA command is issued. Why waste cycles virus scanning, spam screening and bouncing a message for a user you don't even have? You're not just RFC ignorant, you're ignorant of how to properly run a mail server!

      Note that the method above gets rid of NDRs for nonexistent users but still provides them for a user over their quota or suffering other delivery problems.

    5. Re:RFC-Ignorant.org by fm6 · · Score: 0

      I don't see the point in dogmatically upholding a rule for its own sake.
      You're new around here, aren't you?
    6. Re:RFC-Ignorant.org by megaditto · · Score: 1

      Am I the only one here that likes NDRs? If some important email is not delivered, I would much prefer that a sender is notified about that failure. Wouldn't you?

      Outright NDR ban is just plain stupid, akin to curing headaches with guillotine. If they must do something, why not place a cap and delay on the NDR traffic.

      --
      Obama likes poor people so much, he wants to make more of them.
    7. Re:RFC-Ignorant.org by Applekid · · Score: 1

      If a rule doesn't always make sense, then change it. So I wonder, why DynDNS and the others are just doing it without going through the effort of having it changed?

      It's easier to get forgiveness than permission, I suppose.
      --
      More Twoson than Cupertino
    8. Re:RFC-Ignorant.org by plague3106 · · Score: 3, Insightful

      That's a great way to determine VALID accounts to spam.

    9. Re:RFC-Ignorant.org by aaronl · · Score: 2, Informative

      If you're a backup mail exchanger, then you must accept mail on behalf of the primary mail server, and relay to it later. You don't necessarily have any way to verify the account as valid at that time. If you don't do a NDR, then the message originator has no way to know that an error occurred when the backup MX tried to relay into the primary.

    10. Re:RFC-Ignorant.org by the_humeister · · Score: 1

      Am I the only one here that likes NDRs?


      Yes
    11. Re:RFC-Ignorant.org by nuzak · · Score: 1

      Proper mail servers bounce during the SMTP session. Even AOL has LDAP integration so they can bounce during the SMTP session. If they can do it, anyone can. DynDNS is simply no longer doing accept-and-bounce, which is a GOOD thing. That they're not moving to an architecture that would prevent accept-and-bounce isn't so hot, but considering what they are, I don't see how they could. This makes them one of the few organizations that actually has an excuse.

      I'm not one of the people that shouts how "email shouldn't be considered reliable", harkening back to the "good old days" when email was routinely eaten or delayed for days, but in a purely technical sense, email isn't a reliable datagram transport, and even though the RFC has a bunch of MUSTS (like 3.7) about reliable indicators, this is not enforced by the protocol. You have no guarantee that any human at the end even reads it anyway. Double these caveats when you're sending to such a chewing-gum-and-baling-twine type of infrastructure as a DynDNS hosted server.

      --
      Done with slashdot, done with nerds, getting a life.
    12. Re:RFC-Ignorant.org by dskoll · · Score: 1

      RFC-Ignorant doesn't "blacklist" anyone. It just informs people that such-and-such-domain does not follow a particular part of an RFC.

    13. Re:RFC-Ignorant.org by Eggplant62 · · Score: 1

      Real mailers do that. Some folks, for odd, unknown reasons, keep using mail systems that refuse to do those things you specified, which started and continue to propagate the problem. Until we can get them to change to real mail server equipment, extreme solutions like ignoring RFCs seems to be the only way to find solace.

    14. Re:RFC-Ignorant.org by cgori · · Score: 1

      You're new around here, aren't you?


      Based on a 4-digit SlashID, I'd say not...
    15. Re:RFC-Ignorant.org by TheLinuxSRC · · Score: 1

      That's a great way to determine VALID accounts to spam.

      Possibly, but it does prevent the backflow DOS problem.

    16. Re:RFC-Ignorant.org by Menchi · · Score: 1

      All SPAM Mails go directly to the secondary MX host. Ok, not all, something like 98%. I seriously considered to configure my secondary MX with a deny all rule but instead I just add a lot of points to the SPAM-Assassin score and reject the mail if enough points are reached. And there are ways to check if a recp to address is valid on your secondary MX, but that depends on your setup.

      --
      Today's experiment ...... failed
    17. Re:RFC-Ignorant.org by Ant+P. · · Score: 1

      A blacklist for IPs that disobey RFCs? Whoops, there goes 255.255.255.255/0 for ignoring the IPv6 RFC. Whoops, there goes ::/0 for deliberately ignoring the Type 0 header spec in the IPv6 RFC.
      Utterly retarded idea, and an utterly worthless list.

    18. Re:RFC-Ignorant.org by +Addict-09+ · · Score: 1

      I've had problems with those idiots as well

    19. Re:RFC-Ignorant.org by Anonymous Coward · · Score: 0

      What's funny about this? I think it's a good idea.

    20. Re:RFC-Ignorant.org by gi-tux · · Score: 2, Insightful

      And this is exactly the case with DynDNS and their MailHop service. They will receive email for many folks that are behind and ISP that blocks all incoming traffic on port 25. Then they will relay it to the server on a different TCP port, such as 52525. So if I were a customer of DynDNS and someone sent me an email but misspelled my username (gitux instead of gi-tux), then a problem is going to happen. DynDNS accepts the email which was intended for me (but the wrong username). DynDNS then forwards the msssage to my correctly configured server, which tells them that this user does not exist. They drop the message and do not return and NDR. Now someone believes that I have received the email that was sent to me because they did not get an NDR. However I didn't see the message nor is there any indication to me that anyone tried to send me a message.

      I see this as causing more people to be sending messages with delivery/read receipts so that they will know that the message was properly delivered and/or read. I am afraid that this will lead to an increase in traffic due to these receipts being requested more. But then I guess that servers will start dropping the receipts as well and then sending an email will be no more reliable than sending a snail mail. It is supposed to be a guaranteed system of delivery, but there is a huge dead letter barrel that gets way too many things.

      --
      I have no sig, does anyone have one to spare?
    21. Re:RFC-Ignorant.org by Anonymous Coward · · Score: 0

      If some important email is not delivered, I would much prefer that a sender is notified about that failure. Wouldn't you? Yes, but NDR isn't the only way to do this.
    22. Re:RFC-Ignorant.org by mrjackson2000 · · Score: 2, Informative

      there are ways to avoid this problem also, or atleast lessen the impact. my server will watch for non existant addresses being tried from a single ip, when a threshhold is hit the server drops the connection, i can then block that ip via tcp.deny or any other method and they cannot try again.

    23. Re:RFC-Ignorant.org by fimbulvetr · · Score: 3, Insightful

      That's a great way to determine VALID accounts to spam. A lot of people bring up this point, but it's only ostensibly helpful anyway. The resources you save from not verifying an address are _quickly_ eaten up by the fact that you're queueing messages for invalid addresses on your domain at oftentimes insane rates. Pretty soon, your lame server is going to start to deliver these zillion+ NDRs and not only ruin the rest of your day for your users by stealing bandwidth and mail server resources, but also for many, many other people on the internet who need to delete the 80+ NDRs you sent them.
    24. Re:RFC-Ignorant.org by Menchi · · Score: 3, Informative

      There's even a solution for this kind of problem: It's called "recipient callout". The proxy SMTP Server will attempt a fake delivery attempt to the endpoint SMTP server before OKing a recipient. If it succeds, OK it, if it fails, deny it. Sure it costs some resources, but less than a bounce. And if you don't have enough resources to run an email server, don't run an email server.

      --
      Today's experiment ...... failed
    25. Re:RFC-Ignorant.org by Anonymous Coward · · Score: 0

      So smile and nod your head while ignoring the whole thing and hoping it goes away. Works for my boss.

    26. Re:RFC-Ignorant.org by Desert+Raven · · Score: 1

      Am I the only one here that likes NDRs?

      Probably

      The concept is nice, but I get scores of them every day from ignorant mailservers telling me that the spam that I didn't send, but had my address on it didn't get delivered. I filter them off into a folder, which frankly, I just purge every week or so. I don't have the time to read through them.

    27. Re:RFC-Ignorant.org by megaditto · · Score: 1

      You are being smart about NDRs: they do not work for you, so you filter them out. If another user needs them, they pay attention to them.

      NDR ban sounds like a solution in search of a problem which will hurt legitimate users if this thing catches on.

      --
      Obama likes poor people so much, he wants to make more of them.
    28. Re:RFC-Ignorant.org by dondelelcaro · · Score: 2, Insightful

      That's a great way to determine VALID accounts to spam

      If someone is going to pull off a dictionary attack against the SMTP server, then you just discard connections to them after a specific number of invalid users.

      Almost all mainstream MUAs support this sort of thing now.

      At the end of the day, if you actually accept the message for delivery and later reject it, you should do so silently.

      --
      http://www.donarmstrong.com
    29. Re:RFC-Ignorant.org by redelm · · Score: 1
      What ISPs block 25 inbound? What exploit are they trying to prevent? 'dozy boxen aren't running anything on 25. Legit SoHos with static IPs certainly need 25 in.

      Many ISPs block 25 outbound to be good netizens and avoid their lusers'botnets spewing spam. Legit users can get the block lifted.

    30. Re:RFC-Ignorant.org by Anonymous Coward · · Score: 0

      As soon as the sending SMTP connection specifies RCPT you should be able to check if it is valid and terminate the connection if it is for a nonexistent user.

      Email addresses don't have a 1:1 mapping with users. I use sitename@example.com when I register on a website, and everything@example.com gets sent through to my account. So how am I going to determine whether foo@example.com is valid or not? You suggest manually setting up a redirect for each and every website I visit? No thanks.

      You're not just RFC ignorant, you're ignorant of how to properly run a mail server!

      Fuck you. Just because somebody's use pattern isn't identical to yours, it doesn't mean they are wrong or ignorant. In fact, if you haven't even considered this possibility, I'd bet you haven't run a mail server yourself.

    31. Re:RFC-Ignorant.org by Vancorps · · Score: 1

      My domain was added back in 2002 when it was hosted by an ISP that is now bankrupt. why should I be concerned about being blacklisted by them? Does anybody use them for filtering?

    32. Re:RFC-Ignorant.org by ameyer17 · · Score: 1

      Whoops, there goes 255.255.255.255/0 for ignoring the IPv6 RFC
      Not to mention RFC 3514
    33. Re:RFC-Ignorant.org by TheRaven64 · · Score: 2, Insightful

      What exploit are they trying to prevent? The 'business customer buying a consumer account' exploit. This is more important to a lot of ISPs than a number of other exploits that have no impact on their bottom line.
      --
      I am TheRaven on Soylent News
    34. Re:RFC-Ignorant.org by adminstring · · Score: 1

      I basically do what you are suggesting by using a whitelist of valid email addresses for my domain. If an attempt is made to send an email to an address that isn't on the list, my email firewall (which happens to be LogSat's Spam Filter ISP) immediately drops the connection. Doing this has drastically reduced the amount of processing power on the mail server, and bandwidth on my Internet connection, taken up by spammers!

      --
      My truck is like a series of tubes.
    35. Re:RFC-Ignorant.org by ACMENEWSLLC · · Score: 1

      >>At the end of the day, if you actually accept the message for delivery and later reject it, you should do so silently

      That works real well when the incoming e-mail is a complaint to sexual harassment anonymous hot line and the sender thinks the e-mail went through, but we silently dropped it due to a mistake on the spelling.

      I hate sending and e-mail and having no idea if it ever went through or not.

      So I setup all my outgoing e-mail to have delivery and read receipts to try and discover lost e-mail. But those often are blocked.

      It's like were trying to run our current highway system over the legacy dirt roads of the 1900's because that's just always been there.

      It's time to build the next version of SMTP. SMTP in it's current form is just too old and doesn't handle todays issues well.

    36. Re:RFC-Ignorant.org by funaho · · Score: 1

      Email addresses don't have a 1:1 mapping with users. I use sitename@example.com when I register on a website, and everything@example.com gets sent through to my account. So how am I going to determine whether foo@example.com is valid or not? You suggest manually setting up a redirect for each and every website I visit? No thanks.

      Actually in this case it doesn't matter. If all email addresses @example.com are indeed mapped to your (valid) real email address, then foo@example.com IS valid, as far as the mail server is concerned, because they will all be deliverable and thus no NDRs will be generated.

      Here's an idea for someone who knows Firefox and has some spare time: make an extension that lets you right click on an email address on a page or in a form field and generate an HTTP request to a user-defined URL. You then put up a simple CGI that takes requests and adds them to your mail server's mappings table. Then people could make up email addresses on the fly as you are doing while providing a convenient way to add them to your mail server so that you don't need to use wildcard mappings like that.

    37. Re:RFC-Ignorant.org by Desert+Raven · · Score: 1

      Eh, honestly, When it comes to accepting them from external sources, I don't know anyone they work for anymore. Properly set up systems won't accept email for non-existent addresses, which means the NDR is generated on the sender's SMTP server. Which means that the overwhelming majority of NDRs not generated by the near-end SMTP server are bogus.

      Frankly, this article has me considering the possibility of refusing/blackholing NDRs on my own servers. I'm betting it might drop nuisance mail by as much as 5-10%.

    38. Re:RFC-Ignorant.org by dondelelcaro · · Score: 1

      That works real well when the incoming e-mail is a complaint to sexual harassment anonymous hot line and the sender thinks the e-mail went through, but we silently dropped it due to a mistake on the spelling.

      If the incomming e-mail is actually an anonymous complaint then there's no way to actually notify the sender in any event, is there? The best case would be the receiving MTA rejecting it immediately because it was mispelled, but if it doesn't, how do you expect it to talk to the original sender anyway?

      (If you meant to talk about an anonymous remailer, then such a thing should be bidirectional, and should be doing recipient callouts for mail that it anonymizes as it relays.)

      I hate sending and e-mail and having no idea if it ever went through or not.

      That's why you determine if the mail is going to go through at submission time. If you are unable to do that, then you can't send bounces back to untrusted third parties, because you've no clue if they're actually a party to the communication.

      --
      http://www.donarmstrong.com
    39. Re:RFC-Ignorant.org by totally+bogus+dude · · Score: 1

      I use sitename@example.com when I register on a website, and everything@example.com gets sent through to my account. So how am I going to determine whether foo@example.com is valid or not?

      You just stated that everything@example.com is valid. What's the problem? If you actually do accept everything@example.com, then anything ending @example.com is by definition valid. In this case, you're not going to be generating NDRs, and therefore aren't part of the problem. I do this as well, so I know where you're coming from, but I completely fail to see why you're so upset. Unless you're lying and you don't actually accept everything@example.com -- in which case, you must somewhere have a list of the addresses you do accept, and therefore you should make that list available to any server which accepts mail for your domain.

    40. Re:RFC-Ignorant.org by redelm · · Score: 1
      The "biz buying consumer acct" exploit is prevented by limiting upstream bandwidth. The wonderful asymmetric accounts. By the time a biz has grown enough to justify a mailadmin & running their own MTA, their bandwidth requirements have blown the upstream.

    41. Re:RFC-Ignorant.org by totally+bogus+dude · · Score: 1

      Totally agree. DynDNS are in a difficult position because of the service they provide, but frankly, I don't think they should be providing the service if they can't do it properly. Instead, they're putting a bandaid over a symptom of the problem rather than fixing the problem itself.

      If you want to run your own mail server for the added control, or because you like to tinker with things, or whatever, that's fine -- but you have to also take responsibility for it and run it properly. If you're not willing to take that responsibility, find someone who will. Expecting the rest of the internet to put up with the crap generated by your server because "it's too hard to configure it properly" is just selfish.

      The rest of us take the time to make sure our inbound MXs are able to verify addresses before accepting the mail -- why should you be any different, just because you're too cheap to pay for a proper service or too lazy to work out how to configure your server? (Using "you" in a general form, not directed at you, megaditto.)

    42. Re:RFC-Ignorant.org by jgrahn · · Score: 1

      Am I the only one here that likes NDRs? If some important email is not delivered, I would much prefer that a sender is notified about that failure. Wouldn't you?

      Yes. I have mailed people and become seriously offended when the don't reply. That's because I can assume that when I get no feedback, it's the recipient who blew it - by not reading his mail, or not bothering to respond.

      Like others have noted, NDR is an important part of the semantics of Internet mail.

      So now I'm sending mail to , for $foo in some of the domains I use frequently. I hope they'll write me back ...

    43. Re:RFC-Ignorant.org by jgrahn · · Score: 1

      Proper mail servers bounce during the SMTP session. Even AOL has LDAP integration so they can bounce during the SMTP session. If they can do it, anyone can.

      Except a backup MX without access to an up-to-date copy of the full user database and rewriting rules of the real MX that does local delivery. Remember that a backup MX can (probably should) be far from the primary: it is supposed to kick in when the primary has lost network, suffered a disk crash, or is down for any kind of maintenance.

    44. Re:RFC-Ignorant.org by jgrahn · · Score: 1

      So now I'm sending mail to , for $foo in some of the domains I use frequently. I hope they'll write me back ...

      And all four responded quickly with proper, readable NDRs. One large Microsoft-dominated tech company, one mid-sized Microsoft-dominated tech company, my sucky ex-ISP, and the server in my closet.

    45. Re:RFC-Ignorant.org by Phroggy · · Score: 1

      If someone is going to pull off a dictionary attack against the SMTP server, then you just discard connections to them after a specific number of invalid users.

      Almost all mainstream MUAs support this sort of thing now.

      Hopefully you meant MTAs, not MUAs.

      Does Sendmail do this by default? If so, can you point me to documentation to this effect? If not, can you point me to documentation on how to easily set it up?
      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
    46. Re:RFC-Ignorant.org by jez9999 · · Score: 1

      If you're gonna rely on the sender's ISP knowing who the sender is, why not just rewrite the From: header to be correct?

      --
      == Jez ==
      Do you miss Firefox? Try Pale Moon.
    47. Re:RFC-Ignorant.org by vrmlguy · · Score: 1

      So don't drop the connection immediately, just route it to /dev/null *without* spam-filtering, etc. It takes almost no resources and doesn't reveal info about your valid users.

      --
      Nothing for 6-digit uids?
    48. Re:RFC-Ignorant.org by Lennie · · Score: 1

      > Note that the method above gets rid of NDRs for nonexistent users

      This is not true.

      Let's see what really happens.

      You send an e-mail from your e-mail client to your e-mail providers mailserver.

      Your providers mailserver accepts your e-mail, without being able to check the if
      the address you are sending to is a valid address, because it's not one of the
      domains on your providers mailserver.

      You provider then tries to deliver that e-mail to the recipients-domain mailserver.

      It contacts that mailserver, that mailserver says this is not a valid address and
      your providers mailserver will generate an NDR and send it back to you.

      These are the NDR's you do want to have.

      This is your normal everyday NDR, if your provider would not let any e-mail in from
      the outside with a sender for the domains they host, unless authenticated, etc. then
      why not deliver those ? The e-mail stayed within the providers own mailsystem and
      came from a user it trusts.

      I think those are the ones you want to receive, are easily checked (or kept inside a
      seperate mail system) and should receive.

      I don't think just dropping all NDR's is a good option, you have to have an alternative.

      The real problem is with how NDR's are handled when it can't be just rejected
      during the SMTP-conversation.

      It would be better to have a 'ndr for:' in the
      SMTP-protocol as NDR-specific replacement for 'mail from:'.

      Then we would actually be able to do the DKIM/SPF checks. on NDR's.

      --
      New things are always on the horizon
    49. Re:RFC-Ignorant.org by dodobh · · Score: 1

      a) Require a list of valid recipients.
      b) Recipient callouts
      c) Don't require a secondary MX. Get more reliable email hosting instead.

      --
      I can throw myself at the ground, and miss.
    50. Re:RFC-Ignorant.org by macdaddy · · Score: 1

      If you would be so kind as to provide the domain and IP of your home mail server I would appreciate it. I would like to add you to the blacklist on all my mail servers. Clearly you are too ignorant to properly run a mail server. Many thanks.

    51. Re:RFC-Ignorant.org by macdaddy · · Score: 1

      define(`confBAD_RCPT_THROTTLE',`1')

      This Google search will point in you the right direction.

    52. Re:RFC-Ignorant.org by macdaddy · · Score: 1

      As a partial solution to this problem DynDNS could *learn* valid email addresses for a given domain by scanning the outbound messages from said domain. My server-based spam filter does something similar for me. It's called Auto-Whitelisting. It automatically whitelists the recipients on email I send through the spam filter. It would be trivial to have it also scan for and learn valid sender addresses. This isn't a silver bullet but it helps.

    53. Re:RFC-Ignorant.org by macdaddy · · Score: 1
      It can also be readily prevented by not permitting residential connections in areas zone for business purposes. Zoning data is very accessible these days and can easily be integrated into your telco's mapping system. We recently revamped our mapping system and this was a feature that was available (and we're very small in comparison to Cox or Bell). Zoning laws will prevent a business from being established in a residential area until the zoning specifications are amended.

      You can also rely on your field techs to tell you if the location is a business or not. If a residential tech goes out to do a VDSL hookup and finds that the site is actually a business then they can call foul and the install stops.

    54. Re:RFC-Ignorant.org by redelm · · Score: 1
      Except some states like Texas do not have zoning.

    55. Re:RFC-Ignorant.org by macdaddy · · Score: 1

      Good point. Then I'd say it falls on the field tech to discern for themselves. You could also do it on the billing side of things. A business of any reasonable size won't have an individual pay for Internet access. They'll try to claim it's residential, "and would you mind sending the bill to Company ABC at the same address? Thanks." Seen that before too. It's a tough one to solve. At my ISP I won't let them run a mail server on a dynamically-assigned account. For that matter I won't let them use any SMTP server (on tcp/25 at least) that's not our ISP's on a non-static account. That solves a lot of problems right there.

    56. Re:RFC-Ignorant.org by Phroggy · · Score: 1

      Thanks.

      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
    57. Re:RFC-Ignorant.org by macdaddy · · Score: 1

      De nada. There's also an O'Reilly book that's helpful with some of these more advanced options: Sendmail Cookbook .

    58. Re:RFC-Ignorant.org by ACMENEWSLLC · · Score: 1

      Anonymous doesn't mean we don't know their e-mail address. We've had this happen on other types of complaints. The person sends an e-mail from a valid e-mail address, but we have no idea who that person is. Usually a secondary AOL screen name or YaHoo account.

      FWIW we do not send back bounce notifications after the fact anymore. We check at submission time, not later on.

  4. Change or Defy by Astrogen · · Score: 4, Insightful

    While I do believe they should initiate an effort to update the standard, if they view it as a security threat or a spam vector they are entirely right in shutting down the service.

    If a RFC said all boxes should have a port that users could telnet into with root access, and people start abusing that would you leave it and wait for the standard to change?

    1. Re:Change or Defy by the_humeister · · Score: 1

      You know, I don't see anyone following this RFC. So, as it stands, it seems these RFCs aren't always adhered to.

    2. Re:Change or Defy by cstdenis · · Score: 0

      I use RFC 2549 you insensitive clod.

      --
      1984 was not supposed to be an instruction manual.
    3. Re:Change or Defy by TheSolomon · · Score: 2, Insightful

      I agree, although refusing to deliver NDR emails is overkill. Sending abbreviated NDRs instead would work just as well, without denying the utility of valid NDRs.

      By "abbreviated," I mean mail servers should look at incoming apparent NDRs, drop most of the message content, and provide summary information instead. So instead of getting a fake NDR with a SPAM payload, you'd get something like "Your message addressed to fakeaddress@someplace.com, with subject beginning 'First three words,' could not be delivered. [...]"

      People will still (temporarily) get a number of bogus NDR messages, but once spammers see nothing but the first three words of the NDRs are getting through, they'll give up on using the technique. Any messages crafted to exploit the first three words of these summary/abbreviated NDRs would be fairly pathetic compared to normal SPAM, plus they would be easily captured by updated spam filters. (Subjects like "pr0z@c ch3@p www.cheap-prozac.com" would be a total give-away.) ;-)

    4. Re:Change or Defy by bvimo · · Score: 1

      How about an RFC for an NDR template.

      --
      In either case, here at Microsoft, we feel standards are important. And we have fun, too. Doug Mahugh, Microsoft
  5. SPF? by Southpaw018 · · Score: 4, Insightful

    If SPF were more widely implemented, or required to be implemented, wouldn't this problem be solved? Don't send NDRs to domains without SPFs or when SPF fails. NDRs get through and problem solved.

    And what DynDNS is doing is simply preventing all people from using their service from knowing whether email is being delivered properly. If I typo an email address, I damn well better be getting an NDR from the recipient domain, because simply having it go into an email black hole and never knowing whether it got there is not an acceptable alternative.

    --
    ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
    1. Re:SPF? by Sircus · · Score: 1

      If you typo an address, the receiving mail server should be able to reject it during the SMTP conversation. This should result in an NDR for you from the sending mail server.

      --
      PenguiNet: the (shareware) Windows SSH client
    2. Re:SPF? by jchawk · · Score: 1

      If you send to an address at one of my corporate domains that is incorrect you're not getting an NDR.

      Your email will go into a catchall mailbox and it will be forwarded to the appropriate person. Yes this is tedious however 1 missed email could be a missed chances at *TONS* of business. Often times people won't email you again if they get an NDR back.

    3. Re:SPF? by ajs · · Score: 1

      If SPF were more widely implemented, or required to be implemented, wouldn't this problem be solved? Yes.

      Don't send NDRs to domains without SPFs or when SPF fails. A fair point.

      And what DynDNS is doing is simply preventing all people from using their service from knowing whether email is being delivered properly. If I typo an email address, I damn well better be getting an NDR from the recipient domain, because simply having it go into an email black hole and never knowing whether it got there is not an acceptable alternative. Welcome to 2007. I hate to say it, but this is the state we're in. When I used mailhop, I used it for secondary MX, so I would not really have cared too much about the off chance that when my primary MX was down, you sent mail with typo in the To address. Failure recovery doesn't need to be 100% perfect for me to appreciate having it.
    4. Re:SPF? by Anonymous Coward · · Score: 0

      Dude, that was his point. If they aren't sending NDRs he won't get one.

    5. Re:SPF? by TheSkyIsPurple · · Score: 1

      Some places are set with their external servers as dumb as possible... they know nothing about whose accounts are valid or not, so if they ever do get hacked, you don't have all legal addresses available for mailings lists, sales, etc...

      Granted, you can pick up alot from logs, but not all

    6. Re:SPF? by trolltalk.com · · Score: 1

      "If I typo an email address, I damn well better be getting an NDR from the recipient domain,"

      And if your typo matches a real person's email, you won't be getting an NDR. Heck, I've gotten tons of email from people who have sent their stuff to the wrong person - including the new password for someone whose name misses mine by one letter.

      If the mistake originated with you, don't expect someone else to take responsibility for fixing it.

      --
      Kevin Smith on Prince
    7. Re:SPF? by Anonymous Coward · · Score: 0

      I simply don't send "Out of office" or NDR's if SA score >7.

    8. Re:SPF? by kindbud · · Score: 1

      If SPF were more widely implemented, or required to be implemented, wouldn't this problem be solved?

      No, SPF/Sender-ID are bad ideas, which even their creators don't put much trust into. Don't believe me? Try sending a brand-new newsletter to Hotmail and MSN subscribers. Make sure all your Sender-ID and SPF records are in place and verified with Microsoft's own Sender-ID checker. Make sure all your WHOIS data is current, valid and not obfuscated for privacy. Setup your mail servers on freshly-allocated netblock, which you've verified is not on any DNS blacklists. All your ducks are in a row, so you send your newsletter with high hopes. They will be dashed. Microsoft will stuff your newsletter in the Bulk Mail folder anyway, until their servers "get used to" your mail stream. Even Microsoft places no stock whatsoever in Sender-ID. It is a waste of time, a means of dismissing your attempt to interoperate with them. Sender-ID is just another way for Microsoft to tell you "Not enough dick sucking, try harder."

      --
      Edith Keeler Must Die
    9. Re:SPF? by tthedford · · Score: 1

      "If I typo an email address, I damn well better be getting an NDR from the recipient domain, because simply having it go into an email black hole and never knowing whether it got there is not an acceptable alternative." Maybe simply learning how to type would be a better alternative? Don't always expect others to fix your screw ups.

    10. Re:SPF? by cleverhandle · · Score: 2, Insightful

      And what DynDNS is doing is simply preventing all people from using their service from knowing whether email is being delivered properly. If I typo an email address, I damn well better be getting an NDR from the recipient domain, because simply having it go into an email black hole and never knowing whether it got there is not an acceptable alternative.

      Which is why you run a real secondary MX that can either do recipient callout or use valid recipient lists in order to reject during SMTP. DynDNS is a cheap hack for geek vanity domains - you're getting exactly what you pay for.

    11. Re:SPF? by Raideen · · Score: 1

      SPF doesn't tell you that e-mail is not spam. What it does do is tell you if something is spam. It can nearly rid us of the spam botnet problem, if it's used by everyone. (The soft failure provision is crap though.)

      Hotmail, AOL, and other large e-mail providers will start filtering out your e-mail if a certain number of their members mark your e-mail as spam (which many seem to use instead of the delete button). Your SPF records won't save you from that. If you send to a sufficiently large e-mail base, you'll get tagged quickly. I haven't had to deal with any Hotmail delivery issues for any of our 100 or so clients, but we deal with AOL frequently. We just get them on the white list and setup a feedback loop and the problem goes away. If you're going to start a mailing list, it would be prudent to contact the big carriers beforehand. Oh yeah, don't forget to get PTR records that match the A records of the mail hubs. Also make sure that the mail hubs announce themselves using their associated FQDN's.

    12. Re:SPF? by Zeinfeld · · Score: 1
      If SPF were more widely implemented, or required to be implemented, wouldn't this problem be solved? Don't send NDRs to domains without SPFs or when SPF fails. NDRs get through and problem solved.


      Actually there is a much better way t filter bogus NDRs. An NDR should be sent to the SMTP.From address, which is separate from the address that shows on the message.


      So there are schemes such as BATV that mail servers can use to encode an authentication token into their outgoing SMTP.From address. So ted@example.com becomes AS234fw8734.ted.example.com. The authentication token is then checked against a secret key, if it does not match the bounce is suppressed.


      SPF/SenderID are both very useful, but they are not the best way to solve this particular problem. The value of SPF/SenderID is to allow use of accreditation data for more effective whitelisting.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
    13. Re:SPF? by termigan · · Score: 1

      Ah, so no more 404 messages for web pages. Cool.

      --

      Today is all we really have. We should all live it well: it is our stepping stone to all of our tomorrows.

    14. Re:SPF? by Anonymous Coward · · Score: 0

      Have you ever gotten a 404 generated by *someone else* putting in the wrong address? If someone put dog crap on your doorstep, is it OK to fling it off the top of a tall building?

    15. Re:SPF? by kindbud · · Score: 1

      Hotmail, AOL, and other large e-mail providers will start filtering out your e-mail if a certain number of their members mark your e-mail as spam (which many seem to use instead of the delete button).

      Nope, they just toss you into Bulk Mail if they haven't seen your mail servers before, even if your organization applies for feedback loop, PTR records in order, SPF, and even before any Hotmail user sees your message or presses any buttons. Bulk Mail is where you go regardless of anything else, for about two weeks when you first start sending. We've called them about it, there are no exceptions. That is what they do.

      --
      Edith Keeler Must Die
    16. Re:SPF? by Raideen · · Score: 1

      Nope, they just toss you into Bulk Mail if they haven't seen your mail servers before, even if your organization applies for feedback loop

      That's interesting. As I said, I haven't had to deal with Hotmail before (either our clients haven't noticed that e-mail to Hotmail isn't working or the list wasn't large enough to automatically get flagged). Is that policy only for bulk message deliveries or does every new domain get trapped at first? I assume that the only counter measure would be to ask the recipients of your mailing lists to unflag the message when the first one arrives.

    17. Re:SPF? by kindbud · · Score: 1

      I assume that the only counter measure would be to ask the recipients of your mailing lists to unflag the message when the first one arrives.

      As best we can tell, this is just what Hotmail/MSN intend. It might be a good idea if you move to new address space, to create a bunch of Hotmail/MSN mailboxes, include them on your first mailing from the new addresses and right away login to each of them to un-Bulk your mailing, in the hopes that your mails will get un-Bulked sooner by whatever automated feedback system they are using.

      --
      Edith Keeler Must Die
  6. to defy the laws of tradition by chef_raekwon · · Score: 4, Insightful

    Should they have made efforts to have the standard changed instead of defying it?

    maybe by defying it, the standards will now be reviewed, and eventually changed.

    --
    We're like rats, in some experiment! -- George Costanza
    1. Re:to defy the laws of tradition by SnoopJeDi · · Score: 1

      That's what the confederates thought.

    2. Re:to defy the laws of tradition by Breakfast+Pants · · Score: 1

      And what Martin Luther King, Jr. thought (correctly, though he got the idea from Gandhi, not the confederates).

      --

      --

      WHO ATE MY BREAKFAST PANTS?
    3. Re:to defy the laws of tradition by rhizome · · Score: 1

      maybe by defying it, the standards will now be reviewed, and eventually changed.

      And your daily lesson in passive aggression comes to you from chef_raekwon today.

      Not very Wu of him, if you ask me.

      --
      When I was a kid, we only had one Darth.
    4. Re:to defy the laws of tradition by chef_raekwon · · Score: 1

      well, if it means anything at all, your comment made me lmao.

      --
      We're like rats, in some experiment! -- George Costanza
  7. RFC by networkzombie · · Score: 2, Funny

    Setup the NDR delivery to cc the postmaster. That'll force him to block those emails during the session rather than letting them get through. Let's face it; if you're getting too many NDRs, you are accepting email from illegitimate sources that need to be blocked. It will stop the joe-jobs and allow the legitimate NDRs to continue. I'm gonna build my own RFC 2821, with hookers and blackjack.

    1. Re:RFC by Seakip18 · · Score: 1

      In fact, forget the RFC 2821 and blackjack!

      --
      import system.cool.Sig;
    2. Re:RFC by discord5 · · Score: 1

      Aaaah, screw the whole thing

  8. The Problem Is Not NDR's by jchawk · · Score: 4, Insightful

    It's email in general. The whole system is flawed and we've tried repeatedly to duct tape over the problem.

    The main problem is a you have a system based on blind trust.

    Second trust based duct-tape systems are simply too cumbersome for the average user.

    I don't have the answer but I do know that email in it's present state is broken.

    1. Re:The Problem Is Not NDR's by Eggplant62 · · Score: 1

      ...email in it's present state is broken.


      I'm reposting this to make certain that if one point gets made here, this is it.
    2. Re:The Problem Is Not NDR's by Realistic_Dragon · · Score: 1

      I respectfully disagree.

      E-mail works fine, with the various hacks that have been added on to fight entropy. Dealing with normal spam is no worse than the annoyances of closed networks - you still get spam on facebook etc!

      Compare and contrast e-mail with the alternatives - you get instant messaging, which solves a different problem and *still* sucks, or you place yourself at the mercy of a third party. No thanks.

      If you can't use e-mail chances are you don't:

      Run an well configured server (or pay an insignificant amount of money to the people at tuffmail to run one for you)
      Have a mail client with decent filtering

      However NDRs are a major problem. My domain was spoofed this week and I received 30k+ NDR responses. 2k+ ended up in my inbox ... and unlike regular spam they are really hard to filter. I normally get 2k~ spam per week and max 1-2 end up in my inbox.

      --
      Beep beep.
    3. Re:The Problem Is Not NDR's by poetmatt · · Score: 0

      As someone who doesn't know that much about email,

      how am I supposed to know if an email didn't go through correctly now? What if this is a critical business venture? (say a 7-9 figure transaction)
      Are there other ways to be notified of an email not being delivered?

      Also I understand your "things are broken" complaint but what can be done about it?

    4. Re:The Problem Is Not NDR's by Tim+C · · Score: 1

      What if this is a critical business venture? (say a 7-9 figure transaction)

      Then if for whatever reason it has to be email, rather than courier, fax, snail mail, in person, etc, you could always pick up the phone and ask for verbal confirmation of receipt, or assume that not getting a reply confirming receipt is evidence of non-delivery.

      Anyone who blindly relies on email (or anything else) being delivered, received, understood and acted upon correctly for a critical business venture without some kind of confirmation process is a fool. For example, you won't get an NDR if the user's mail client binned it on receipt as spam, or filtered it off to the wrong folder...

      --
      It's official. Most of you are morons.
    5. Re:The Problem Is Not NDR's by pkulak · · Score: 1

      I don't know why everyone keeps saying this. Sure, if I apt-get Postfix on my local box it's going to be flooded with spam, but throw SpamAssasin on there, use the spamhause blocklists, and you get just about none. There are only so many servers that should be sending mail. Just block the rest and you're done. Sure that's a bit complicated, but so is all this talk of Email 2.0.

    6. Re:The Problem Is Not NDR's by TheRaven64 · · Score: 1

      Do you have SPF set up? As I understand it, most of the big providers now use SPF when receiving email, and ignore it if the record is present and the sender does not match the allowed list. This should mean that Joe jobs don't work if you have SPF correctly configured.

      --
      I am TheRaven on Soylent News
    7. Re:The Problem Is Not NDR's by MikeBabcock · · Score: 1

      We tell our customers regularly not to assume that E-mails get to their customers or suppliers and to verify out of band. For one E-mailing system I agreed to configure we E-mailed the recipients a link to a secure web page hosted by the company in question with the information in it instead of just E-mailing the data. This way we could verify receipt using the web server and any unclicked links could be followed up on.

      --
      - Michael T. Babcock (Yes, I blog)
    8. Re:The Problem Is Not NDR's by Anonymous Coward · · Score: 0

      The main problem is a you have a system based on blind trust.

      That is no longer the case. Having worked as a consultant, I know that all major companies today have a white list for their business partners. It is most of the time based on trusting the DNS, so I agree with the previous poster who said that secure DNS should be implemented.

      I think the ability of being able to email from any internet host without having to be "authorized" by a central location is a key feature and an important success factor in the reliability of internet email overall. Any authorizing facility is bound to bottlenecks and downtime. (Yes, that includes the companies' internal white-lists, but the impact on the internet overall isn't there.)

    9. Re:The Problem Is Not NDR's by caluml · · Score: 1

      Last time I checked, Postfix didn't support it "out of the box". Wish they would.

      --
      Get your own free personal location tracker
    10. Re:The Problem Is Not NDR's by poetmatt · · Score: 0

      umm to clarify further, a lot of the clients for my business do not have any points of contact other than email, and a physical overseas address. They don't usually have phones (or do business in enough countries and places that phones aren't commonly used), and the transactions are time-critical (24-48 hour). So yeah, "pick up the phone" may sound good, but without a confirmation of a mail not going through or a receipt from the client, we actually are obligated to proceed anyway since the money has been received. Thus the enormous business risk (not to mention working with businesses that are based in the middle east/china/uk from within the US and having to make sure that they are legit companies and not on the SDN list). Basically with the choice of a: waiting too long and cancelling the work (the volume of the work is in the thousands of orders a day), or b: not getting an email confirmation, and just proceeding with the work and getting a very flagrant response weeks later, you can imagine I'm beyond pissed that I simply "won't know" that an email doesn't go through. On a literal sense, how come the post office, and websites themselves essentially have "bad address/did not send" messages, but email wouldn't? I don't see any reason for an exception. Also, as lack of technical as I may be, did I not read above comments in the article saying there are technical workarounds?

  9. Standards and Implementation by LithiumX · · Score: 5, Insightful

    Tried and true standards make the net go round, but the most effective enhancements or changes to standards usually don't come from a committee working out best practices - it comes from individuals making hard choices on what to support. If those changes turn out to be beneficial, then they become adopted as new standards.

    Going against standards can cause a bit of chaos as well, which is why it's good to avoid deviation - but sometimes a deviation makes sense, and you do it. Publicly announcing this (non-critical) deviation, and explaining exactly why, is the proper way to go about it.

    --
    Do not confuse "Freedom of Choice" with "Free Will".
    1. Re:Standards and Implementation by OldeTimeGeek · · Score: 2, Insightful
      it comes from individuals making hard choices on what to support. If those changes turn out to be beneficial, then they become adopted as new standards.

      The process of modifying standards is a bit more complex than that, but there is a process for change. You just have to become part of it rather than just picking and choosing which standards annoy you the least and then hoping that someone else will fix the ones that don't work the way you think they should.

    2. Re:Standards and Implementation by _anomaly_ · · Score: 1

      Publicly announcing this (non-critical) deviation, and explaining exactly why, is the proper way to go about it.
      I tend to differ...
      What they're doing is making a change to a service that they provide so that their problem is resolved (which they have a right to do IMO).
      It's kind of a move towards an 'ignorance-is-bliss' policy rather than fixing a problem for their customers... after all, if they aren't aware of a spam problem that their customers are experiencing then there isn't a spam problem.
      I'm a fan of DynDNS simply because of the (free) services that they used to provide back in the day that (seemingly) no one else offered, but the way you put it they're leading the industry in solving the Big Email Problem.

      Their move will do nothing to impact any standard whatsoever because simply removing the sending of NDRs does nothing to solve the inherent problems, it just covers it up a bit.
      --
      "I have no special gift, I am only passionately curious." - Albert Einstein
    3. Re:Standards and Implementation by Luthe_Faydwire · · Score: 1

      Just to be honest here people do not follow the standards 100%. They build something that works well enough, then most add "value adds". Cisco and BGP are a good example as though they helped write the RFC they also built their code with additional features that made it incompatible in some designs. I think that Juniper built a command that allowed them to run "Cisco BGP" but its been awhile. I don't know the number of times that I have found that system do not work the way that an RFC says they should while the company claims RFC compliance.

  10. Turn off original message in the bounce??? by Anonymous Coward · · Score: 3, Interesting

    Did I miss something or wouldn't the problem be solved by turning off the content of the original message in the bounce? If you can't see the original content, it removes the incentive for spammers to use that technique.

    This is how it goes on all our mail servers. All bounced messages have the original content stripped off. You get the error message with the reason the message bounced and that's it.

    NDR are still usefull. There is PLENTY of mail servers not configured properly or messed up on the Net, even from big ISPs. Calling the current system as a whole, reliable, is a joke.

    1. Re:Turn off original message in the bounce??? by Andy_R · · Score: 1

      It's not just a good idea, here in Britain, it's the law too.

      Basically, our spam law says it's illegal to send unsolicited commercial e-mails to private individuals - there's nothing to say that you have to be the author of the spam to fall foul of that law, you are still guilty if you send me an unsolicited commercial e-mail by bouncing it to me from a third party when I'm being joe-jobbed.

      A nicely worded 'please change your settings, or I'll tell the information commissioner to fine you £5,000 per mail' e-mail from me has already made a few major businesses and governement organisations change their policy on this, and stop forwarding spam.

      --
      A pizza of radius z and thickness a has a volume of pi z z a
    2. Re:Turn off original message in the bounce??? by Sleepy · · Score: 1

      >Did I miss something or wouldn't the problem be solved by turning off the content of the original message in the bounce? If you can't see the original content, it removes the incentive for spammers to use that technique.

      NO. Once a spam MO becomes commonplace, that technique will NEVER go away.
      You seem to be implying that if the "effort" is wasted in vain, then spammers will deprecate their old technique. They won't - they'll just ADD new techniques. The NDR loophole will never die.

  11. Long deprecated in practice by athloi · · Score: 1

    I knew some ISPs started doing this in the late 1990s after broken mailing lists sending spam from forged addresses generated floods of NDRs in response, smashing the original forged recipient (often some unbelievable sound address like "someone@everywhere.org"). Original NDRs quoted the whole bounced email, but first that changed, then many went to one-liners, and finally, they started disappearing.

    --
    technical writing / development
  12. not all sending servers can generate NDR by C0vardeAn0nim0 · · Score: 1

    ideally the server sending the message should generate the NDR, this way network traffic would be reduced and delivery of NDRs quicker. for this to work is neccessary that the receiving server runs a directory search for the recipient and replies with a 5xx message (permanent error) after the sending server issues a "RCPT" command.

    sendmail and postfix both do this. don't know about MS exchange or courrier. a default qmail install (without patches) certainly don't. i believe there's a patch to implement this, but it's unofficial.

    standard qmail accepts and queues anything you throw at it, then pipes the message to another proccess that runs the dictionary search. the result is that if you suffer a dictionary attack (i.e. a spammer takes a huge list of common names - say, 100.000 - and prefixes them to @yourdomain.com), you end up with a thousands of NDRs on your outbound queue, effectively swaping the server and/or connection.

    sendmail and postfix in contrast, issue an error if the recipient doesn't exists, which leaves to the sending server the task of creating the NDR, wich IMHO is the correct thing to do.

    i wasted too many time cleaning qmail's queue in a couple of servers i inherited from a previous admin untill i got fed up and replaced it with postfix. life is too short to waste cleaning up after spammers.

    --
    What ? Me, worry ?
  13. Are DynDNS cluebies? by jani · · Score: 5, Insightful

    With this reliabity levels of modern e-mail systems being substantially higher than its past predecessors, the practical needs for this NDR messages are nil. These practical, anti-spam, merits far outweigh the prevailing RFC 2822 technical requirements.


    Excuse me, but due to the vast amount of spam handling, modern e-mail systems are substantially less reliable than they used to be.

    If you redirect email for your domain name to Hotmail, chances are good that it will disappear without a trace. (No NDR, not in the spam box either.)

    Someone else already mentioned the problem of people typoing email addresses. This is a common problem.

    Email can be bounced for other reasons, too, such as a full mailbox, or that there is a relaying mail server (yes, DynDNS, they still exist, and in abundance!) which gives up on delivery after a week of timeouts for the destination host.

    And so on.

    Someone at DynDNS needs a good whack with the clue bat.
    1. Re:Are DynDNS cluebies? by lamber45 · · Score: 1
      If you redirect email for your domain name to Hotmail, chances are good that it will disappear without a trace. (No NDR, not in the spam box either.)

      If you have a DynDNS account, chances are good that you don't forward all your e-mail to a HotMail account. In fact, you might run your own mailserver; in that case, you can make sure that your own server returns whatever bounce messages you feel are appropriate. Even the forwarding service will normally be pointed at RFC-compliant servers, which may choose to generate bounce messages in some cases.

      In other words, if someone misdirects e-mail to my.handle@my.vanity.domain instead of my.h4ndle@my.vanity.domain, it might get lost with no error-message... but since it's your domain, you can define as many e-mail addresses as you want within it. On the other hand, if someone starts sending a lot of mail to bogus addresses at your domain with forged return addresses, they gain no information and DynDNS doesn't generate annoying misdirected bounces to a lot of third parties.

      I am a happy DynDNS customer, but I don't use any of their mail services at the moment.

    2. Re:Are DynDNS cluebies? by jani · · Score: 1

      If you have a DynDNS account, chances are good that you don't forward all your e-mail to a HotMail account.

      The Hotmail example was meant as an example in how email is already broken, not as an example of something you might want to communicate with (DynDNS or otherwise).
    3. Re:Are DynDNS cluebies? by JcMorin · · Score: 1

      I've send over 100 000 emails to hotmail alone and the server always return a code if a fail action, good are the chance the that software that send the email to hotmail do not take the appropriate action with the code. If DynDNS return that the domain name is invalid or the account do not exist. In my opinion their job is done, the SMTP can return (if not a queue) instantly the error, or generator and delivery failure.

  14. Problem is legitimate, solution is not by EdwinFreed · · Score: 2, Interesting

    They absolutely do have a legitimate problem, one that needs to be addressed by appropriate standardization and implementation activities. But unconditionally failing to generate DSNs is not the answer. What they need is a mechanism that eliminates most of the cases where they currently have to generate DSNs.

    First, by their own admission this is only a serious problem for what they call their MailHop Backup MX service. Their other services, MailHop relay and forward are "mostly immune" to DSN issues.

    The reason for this is simple: With MailHop Backup MX they have no way to validate addresses so they end up accepting a ton of crap to invalid addresses that end up bouncing later when they relay it on. With the other services they can validate addresses and generate a "5yz recipient invalid" sort of error right there in the SMTP session - no need for them to generate a DSN.

    So, if the problem is that they don't have sufficient recipient information in the one case, why not solve it by making that information available? One way this could be done is to have the primary MX publish their list of valid addresses using DNS protocols. A zone transfer could then be used to copy the information over so it is available when it is needed. DNS update mechamisms will keep the information reasonably current. (Of course they cannot assume it is current but they can handle that by issuing a "4yz" temporary error instead of a "5yz" permanent one for unknown addresses. Various issues such as needing to support subdomains or subaddresses can probably be dealt with by using NAPTR records. Obviously this whole thing has to be secured and there are various issues with spoofing, but none of these issues seem insurmountable.

    Although I think a DNS-based solution could work, I'm really only using it as example. A different mechanism might be more appropriate. But regardless of the mechanism used, what's missing is the set of standards for how different organizations release and consume this sort of information. Without those their customers don't know how to publish the information and even if they did so a backup MX service provider cannot possibly afford to build a custom address import facility for every customer.

    It really is past time that people who have such issues stop going their own way and break things when they could be working with others to actually solve the problem. I've brought this issue up in the IETF once or twice and not seen enough interest to pursue it. That might change if folks like DynDNS would get involved.

    1. Re:Problem is legitimate, solution is not by Jubal+Kessler · · Score: 2, Insightful

      With MailHop Backup MX they have no way to validate addresses

      Not necessarily. Backup MX services could do address validation if they're given a userlist. Of course, this entails some security concerns (example: why trust a backup service with a userlist?), but that can be figured out satisfactorily (answer: use a backup service you can trust, and engineer a secure solution).

      Further thoughts:

      There is little reason to avoid address validation these days. As for the argument against address validation -- that spammers can determine valid addresses by seeing which ones don't fail, and that's a reason not to validate -- that's not much of an argument:

      - Accept and discard, and spammers think all addresses are real.
      - Accept and generate an NDR, and spammers never get it, because their sender address/domain is usually bogus.
      - Reject unknown addresses, and reduce massive CPU overhead from spam/virus-scanning. Bonus!

      Finally, implement some form of connection throttling based on address validation. Some connection's doing what appears to be a dictionary attack, trying a jillion usernames starting with the "a"s? Or even multiple connections doing it, subdividing the alphabet between themselves? Trip a threshold of, say too many connections or too many bad recipients per minute, and refuse further SMTP connections from the given IP address -- or even slip it into a packet-filter rule to blackhole -- for an interval of time, and the problem's solved.

      Once spam makes it past the DNS blocklists, the connection throttling, etc. there's enough intelligence in the anti-spam middleware to accurately identify the ham from spam 99% of the time or better.

      And of course there's DomainKeys Identified Mail (DKIM) which is now RFC 4871 and is excellent for this middle section of the anti-spam defense wherein one also has to determine whether a message is an elaborate phishing scam or the real deal. SpamAssassin can do a bit of this as well as SPF, etc., and there's a high-performance dkim-milter implementation on sourceforge, too.

      SMTP isn't dead, just a tad more complex on the server level, and defenses are improving against the soft areas of the protocol. What I've suggested works pretty darn well as a starting point.

    2. Re:Problem is legitimate, solution is not by Jubal+Kessler · · Score: 1

      Whoops. Remind me to read an entire post before replying. I see you've covered what I just said.

      I agree that standards to present userlists would help increase adoption of address validation on secondary MXes.

    3. Re:Problem is legitimate, solution is not by Anonymous Coward · · Score: 0

      Isn't this what LDAP is for? Combined with SSL and an appropriate access list
      would provide the necessary directory services in a secure fashion.

    4. Re:Problem is legitimate, solution is not by EdwinFreed · · Score: 1

      LDAP certainly could be used for this, but not in such an obvious way.

      A key element of any such service is that it has to work when the primary MX is totally inaccessible. So a scheme where the secondary just looks up addresses using an LDAP server operated by the primary won't work - it fails at exactly the wrong time.

      What's needed is for an LDAP server at the secondary to be act as a slave to the master server maintained by the primary. I believe LCUP (RFC 3928) provides this capability.

      Another issue is that no matter what protocol you use there has to be a defined way in which to store address information. In the specific case of LDAP you'd need to have not only an LDAP schema but also a specific DIT layout.

      Various existing LDAP schemata define ways to represent email addresses in LDAP but AFAIK none of them are adequate for this. An obvious deficiency is that you need ways to say things like "the part of the address after a plus can be anything" or "ignore a leading underscore if present" or perhaps even "if this begins with a tilde remove the tilde and match against a different attribute". DNS NAPTR provide what seems to me be to be a pretty good match to what's needed here, which is one reason why I used DNS as an example rather than LDAP. Another reason is that I'm unclear to what extent LCUP is actually implemented by LDAP servers, whereas DNS mechanisms for this are universally implemented. Basing this on something that's readily available seems like a really good idea to me - perhaps even a requirement.

  15. Start at the top, with secure DNS. by Colin+Smith · · Score: 1

    It has to start with secure DNS. Receiving mail servers have to be able to test that the originating mail server actually represents the domain it says it does.

    --
    Deleted
    1. Re:Start at the top, with secure DNS. by Azghoul · · Score: 0

      And all that does is fuck over any legitimate emails that don't come from the domain in the reply-to, screwing home-installed linux users.

      No thanks.

    2. Re:Start at the top, with secure DNS. by greed · · Score: 3, Informative

      Way to confuse envelope-from, header-from and reply-to.

      Besides, my home-brewed Linux-based mail server has a published SPF record, and anyone receiving mail can verify that machine is entitled to generate envelope-from with that domain. The SPF also spells out my relay provider, since my DSL line is in DSL blocklists.

      What it really needs, at the least, is for people to stop accepting bogus HELO/EHLO addresses and other unverifiable envelope information. If there isn't even an A record for the HELO address, then 554 the message.

      This means mail from many large corporations will be rejected, because they use HELO hostnames that only resolve inside the company.

    3. Re:Start at the top, with secure DNS. by Colin+Smith · · Score: 1

      It just means the mail server needs a valid DNS domain and to have it set up securely. It's not so difficult and is badly needed. It solves much of the spam and phishing problem.

      --
      Deleted
  16. Bad idea by dskoll · · Score: 1

    Unilaterally deciding to ignore an RFC (or part of an RFC) just because you don't like it is almost never a good idea. When Microsoft does it, everyone (correctly!) gets up in arms. DynDNS shouldn't get off any easier.

    At most, I would agree with a temporary block of NDRs to a particular user or domain if a large joe-job run is recognized. But this should never be made permanent or blanket.

  17. Having read TFA... by dskoll · · Score: 1

    The problem is one of architecture. There is no excuse in the modern world for running a secondary MX server that lacks knowledge about local recipient addresses. While this architecture may have been OK 10 years ago, it no longer is. Just don't run a secondary MX unless you have a way to transfer your account list to the secondary in a way that the secondary can have local knowledge of valid addresses even if the primary is unreachable.

  18. NDR's are not evil by Anonymous Coward · · Score: 5, Insightful

    Throwing out the baby with the bath water comes to mind when I read this...

    The problem is not with NDRs. The problem is that their servers *accepted* the message that eventually had to be NDR'd in the first place, then after accepting responsibility, decided they didn't want that responsibility, so discarded mail that they promised they would deliver.

    If their servers checked validity of local recipients, scanned and filtered the message, etc BEFORE accepting it (via 2xx series SMTP accept response), and instead properly REJECTED it with a 5xx series response, these messages would never be bounced. The NDR mechanism is not at fault - rather, the fact that they can't properly configure their servers to reject the message up front is at fault. If you properly REJECT the messages at the SMTP level instead of accepting the message for delivery, the only thing left to NDR are perfectly valid cases, such as mailbox over quota, etc.

    Once you *accept* responsibility to deliver a message (via a 2xx series SMTP response), you MUST deliver it somewhere, else you have shirked your responsibility - either deliver it to it's destination, or bounce it. To do anything else would be to LOSE mail, which is the ultimate sin of any mail server. The key is not to throw out bounce messages, but to minimize or eliminate unnecessary bounces in the first place by rejecting instead.

    Note that by properly REJECTING the message, you also effectively defeat most spam bots, since they can't "bounce" the mail that you reject to the "real" local sender.

    I always hate it when providers like this take the short cut of *losing* mail intentionally rather than fixing their broken systems to work right.

    One caveat to my comments - unfortunately, some mail software is symply not geared toward todays Internet, such that it can do the scanning and filtering of messages realtime fast enough to prevent a sending server from timing out while it's doing this scanning, so they queue the mail to process it for spam, etc later. Using such software is the first mistake most places make, and is the real reason why there are so many NDR's in the first place.

    1. Re:NDR's are not evil by profplump · · Score: 2, Insightful

      Except DynDNS doesn't have local users, so they can't verify directly that messages will be delivered.

      A similar problem occurs when you submit outbound mail to your ISP -- unless it's going to someone else at the same ISP, the local SMTP server can't verify that delivery will succeed. At the ISP level it's still probably reasonable to generate bounce message, at least for local users. That way you don't have to do the final delivery right away, users can still get error messages, and you don't risk sending bounces across the Interwebs.

      But it gets tricky for forwarding hosts like DynDNS. The only way to reject during the session would be something like:
      A) Inbound connection sends message to forwarding server
      B) Forwarding server leaves connection open after the DATA command
      C) Forwarding server forms outgoing connections to every domain specified in the envelope addresses
      D) Forwarding server attempts to deliver the message to all final recipients
      E) Forwarding server rejects original connection from (A) if any deliveries in (D) fail

      And even if you overcame the technical complications of such a system, it completely dis-allows the use of mail hosts that don't have 24/7 availability. Moreover it eliminates the ability to use secondary hosts, because even if they can validate addresses (which is not trivial) they can't guarantee things like available disk space on the destination server.

      Rejecting messages in-session is certainly a good idea, but it's ridiculous to think that it's possible to eliminate bounce messages just by validating local addresses before accepting a message.

    2. Re:NDR's are not evil by Michael+Wardle · · Score: 1

      The problem is not with NDRs. The problem is that their servers *accepted* the message that eventually had to be NDR'd in the first place, then after accepting responsibility, decided they didn't want that responsibility, so discarded mail that they promised they would deliver.

      We're looking at you, qmail.

      ... and Postini.

    3. Re:NDR's are not evil by kasperd · · Score: 1

      You do have some valid points, but there are solutions for such problems. For example the ISP case you mention can validate the sender, once you have validated the sender the problem is solved.

      In the case of a relay, it can almost be done in the way you describe. Actually you forgot to mention one problem. Relay sends message to first recipient domain and gets OK, next relay sends message to second recipient domain and get a temporary error condition. When I was implementing such a system myself, the only solution I could think of for that problem was to disallow recipients in different domains in a single transaction. There is a response code in SMTP to indicate that the maximum number of recipients for a single transaction has been reached. If you use that it is the senders responsibility to do another transaction with the remaining recipients.

      Using that response code before you have accepted 100 recipients could be considered a violation of the RFC. But I feel a lot better about violating that limit than silently losing data. Besides I have never seen a server actually sending messages for different domains in the same transaction. What they do is, that they group the recipients by domain, and then does one session per recipient domain. It would be more complicated to actually detect when messages for two different domains can be sent to the same IP address.

      In my case I had some additional requirements, that DynDNS does not have. I wanted my relay to be completely stateless, and sometimes I wanted to change the destination address in ways that caused me to use the 452 code when the previous hop saw two recipient addresses in the same domain. So I checked my log and found that my mail server have used that code five times during those 1½ years I have logs from. And all five times the previous hop correctly did another transaction for the remaining recipients - it did wait for half an hour before doing so though. But a half hour delay in a situation that is probably never going to happen to a legitimate email is IMHO better than silently losing data.

      But since DynDNS is not really trying to avoid keeping state on their relays, they can do better than what I did. For eaxmple they can cache information about valid recipients. If a recipient was valid at some point within the last week, but it is not currently possible to validate it, I'd say it is OK to accept the mail. You may have to bounce a few mails that way, but still you have made a significant cut in the number. Caching can also help a bit on the multiple recipient domains problem - if they are ever going to experience that at all.

      --

      Do you care about the security of your wireless mouse?
    4. Re:NDR's are not evil by Anonymous Coward · · Score: 0

      From the article:

      DynDNS attempts to prevent this problem from happening by using SMTP call ahead to our user's Primary MXes for the sake of recipient verification. This helps to prevent this type of spamming, but only if the user's Primary MX is up. When the user's Primary MX is down, we queue all mail we get for later delivery, just as we should.

    5. Re:NDR's are not evil by profplump · · Score: 1

      I'm not saying there's nothing we can do to reduce the use of bounce messages. Certainly I agree that, when reasonable, mail hosts should reject messages in-session, rather than creating a bounce. But eliminating them altogether means eliminating the store-and-forward methodology, or accepting that mail might not be delivered and you would never know.

      For example the ISP case you mention can validate the sender, once you have validated the sender the problem is solved.

      No, all you've done if ensure you have someplace valid to deliver bounces, should the message generate any before it leaves you server. But unless you somehow pass that trust forward somehow you haven't done a thing for any mail host other than your own. Remote systems may still need to bounce the message, and they have no way to validate the sender.

    6. Re:NDR's are not evil by kasperd · · Score: 1

      But unless you somehow pass that trust forward somehow you haven't done a thing for any mail host other than your own.
      If everybody would just take proper care of their own mail server, the problem would be solved.

      Remote systems may still need to bounce the message, and they have no way to validate the sender.
      Actually validating the domain would be sufficient. There have been attempts at this, but none that will work in every situation.

      But any legitimate email will only travel through mail servers that are either affiliated with the sender or with the recipient. So as long as mail servers affiliated with the sender verify that the sender address is correct, and any mail server affiliated with the recipient verify that the recipient is valid before accepting responsibility for the email, you will get no spurious bounces. In fact all bounces would be going to a local recipient which you had already validated was correct.
      --

      Do you care about the security of your wireless mouse?
  19. No by The+MAZZTer · · Score: 1

    I would find whoever wrote the stupid standard and make sure they are incapable of drafting any more standards in the future.

  20. I like SPF a lot... by msimm · · Score: 1

    But I don't think it's a solution. Between softfails, ISP's who block outgoing connections to port 25 (in favor of using their own SMTP servers) and generally low scoring on most spamassassin configurations I've seen I'd consider it helpful (particularly in getting your email OUT) but not a definitive answer.

    That said I DO wish more people would use it so that it's overall impact would be increased (as people began to rely on it more). TMDA aside (which has a whole batch of problems, I know) it's my next favorite tool.

    --
    Quack, quack.
  21. I do that. by khasim · · Score: 1

    I've always refered to that as a "phone book attack".

    After X failed addresses, block the sender.

    Except you have to make exceptions for things like gmail and hotmail and other major ISP's and mail delivery services.

    Instead of sending and NDR though, I just reject at SMTP time. If the ISP's were a bit smarter, they'd see X rejections (5xx-series) and shut down ALL outbound email from that account.

    And I want a pony and a plastic spaceship and ...

  22. So USE that information. by khasim · · Score: 4, Insightful

    Yes, the spammer can determine whether it has a valid account. But that means ...

    #1. The spammer already HAS the account name and is checking to see if it still works. Defeat this by generously distributing SpamTrap accounts. And accepting email to them. And then opt'ing out of the email that they receive.

    #2. The spammer is trying to guess a new name. Good luck with that. Sure, maybe SOMEWHERE there is an email account of "frank@example.com" but good luck finding it. If you want to have some FUN, watch your logs for examples of this. Then setup some of them as SpamTraps. And follow #1 above.

    I use both of these approaches. It makes filtering spam VERY easy.

  23. Don't send NDRs for spam. Do send NDRs for ham. by Anonymous Coward · · Score: 0

    This case involves a backup MX for third parties. So it's rather unusual, and the rule that should apply 99% of the time ("don't accept it unless you know the recipient is valid") is hard to apply. So I would suggest:

    - Check the SPF.
    - If the SPF is neutral, do some basic spam filtering, e.g. greylisting or RBLs. Probably not content-based unless they have plenty of CPU cycles to burn.

    If the SPF or the spam-filter passes the message, accept it. If it ultimately can't be delivered, send an NDR.

    If the SPF or the spam-filter reject the message, still accept it and attempt delivery (after all, the end user isn't asking for spam filtering at this point). However, in this case, if it ultimately can't be delivered then discard it.

    I reckon that this would keep everyone happy, and wouldn't be hard to implement.

  24. From a simpleton ... by Anonymous Coward · · Score: 0

    I haven't looked at email as reliable for years, because of all of the games being played with it.

    I'm not sure who's worse: the spammers or the anti-spam facists. Sure the spammers aren't doing anyone but themselves a favour, but the anti-spam facists seem to believe that technical tacticts are an effective way to solve a social problem. Unfortunately, they only seem to be making things worse by creating a sort of arms race. So now rather than having 50 unique spams sent once, I get 10 unique spams sent 20 times over -- where each of those 20 tries use a slightly different approach to get through filters. Sure the spammers created the problem, but the actions of the anti-spam facists only made it worse.

  25. If email is so reliable these days... by kindbud · · Score: 1

    Then how come people are paying for a Backup MX service?

    --
    Edith Keeler Must Die
    1. Re:If email is so reliable these days... by chefmonkey · · Score: 1

      How about: "Email is so reliable these days because anyone running a server worth talking to has a backup MX service"?

    2. Re:If email is so reliable these days... by kindbud · · Score: 1

      There seems to be a contradiction here. The problem DynDNS is trying to solve stems directly from backup MX that can't verify recipients, which then become spam relays via asynchronous DSNs. But what problem were people trying to solve by using a backup MX that can't read their organizations global address book? Mail will queue on the originating system if the destination can't be reached. If there is a backup MX, this means the recipient organization wants to queue mail destined to themselves on a host other than the sender's, usually because they think it will make them look bad if their mail queues at the sending side. But if they do this, and then don't send DSNs, they are degrading service for their senders, not improving it. If they had no backup MX, mail would queue on the sender's host, which would presumably have no problem sending DSNs to its own mailboxes, or eliminating them if that was their choice. But the sender gets no choice when the recipient uses a backup MX that sends no DSNs. Their service is degraded, and they don't even know it.

      --
      Edith Keeler Must Die
    3. Re:If email is so reliable these days... by chefmonkey · · Score: 1

      Yes, in a double-fault scenario (you sent email to a non-existent account [fault 1] at my domain when my primary MTA was down [fault 2]), you end up with sub-optimal behavior.

      High-availability systems generally accept degraded performance in a double-fault situation. Really, email only needs to rise to the level of "high-availability" (as opposed to "fault-tolerant"), given users' current expectations. If you need anything better than that, users generally rely on "layer 8" (human) acknowledgment (largely because MTA failure is only one of myriad reasons a message may not make it all the way to the expected recipient's brain).

  26. Good for DynDNS; TZO.COM did this 3 months ago by Sleepy · · Score: 1

    TZO Dynamic DNS people did this 3 months ago.

    This step might not have been necessary if everyone customized (read: FIXED) their Microsoft Exchange installations, but that's never going to happen.

    TZO stated that 80% of outbound relayed mail was DSN from spammer attempts.
    With a lot of Exchange installs, even if that server is NOT an "open relay", they WILL send out DSN's for spam relay attempts. NO mail server should send out DSNs for domains that are not their own - just reject it up front. Unfortunately that is not always true.

  27. They need a bit of imagination... by dermoth666 · · Score: 1

    I'm a sysadmin for a small company (a few hundreds employees) and our mail system just don't need that. We built mail frontends with Qmail, Spamassassin, ClamAV and a few of our own Perl scripts. The way we made it the mails are either refused at the end of the MAIL TO: command (User unknown) or DATA command (Spam, viruses, etc). The valid emails list is fetched regurarly from the enterprise LDAP directory and top offenders (spam ratio too high or too many invalid recipients) are blacklisted at the TCP wrapper level.

    Since we refuse mails during the initial connection instead of using an NDR we don't end up spamming all over the world with faked mails. The number of NDR returned by the mail system is very minimal. It is also much more efficient performance-wise and all the software we used is FREE :)

  28. POTS by banished · · Score: 2, Insightful

    Oh, great. Now I have to use POTS to make sure my e-mail was received and didn't go into a black hole. Either that, or request a read receipt on every e-mail. The only problem is I never respond to read receipts, so why should I expect anyone else to?

  29. Use Return Receipts! by kwilliam · · Score: 0

    It's that simple people. Set the "Request return receipts" setting to ON (and beg your email client to start handling receipts with a checkmark next to the original message in your Sent Items folder). And use digital signatures. People do not understand how easily email can be faked!

  30. You are all crazy, dyndns is absolutely correct by Anonymous Coward · · Score: 0

    I run the servers for a hosting ISP. We've had NDRs turned off for years. We delete suspected spam without comment. When people ask me what the chances are that a legit message will be silently blocked, I tell them the odds are 1 in 300 and if they talk about how they just came from a hot weekend due to the new cialis prescription they might not get through either. If I'm this cavalier about messages, imagine how I feel about NDRs.

    Since about 2004 it's been a terrible war. My servers have 75% of their cpu resources taken up by spam filtering, not useful work.

    If you aren't a full-time sysadmin with a real workload of domains, you don't even have the standing to comment on this topic.

    1. Re:You are all crazy, dyndns is absolutely correct by Anonymous Coward · · Score: 0

      I'm in the mail business, and you're a blithering idiot. I feel sorry for those whose mail you handle.

  31. No, we need that to filter this crap. by Generic+Player · · Score: 1

    Bounce messages that don't contain the original message suck because you can't filter them easily. Normal bounce messages you can check if the original messages contains a rcpt from your mail server or not, and if it doesn't its obviously bogus so drop it. If it does, then its a legit non-deliverable message so you want to deliver it.

  32. NDRs are evil, everyone should turn them off. by Anonymous Coward · · Score: 0

    Is the author stuck in some sort of weird timewarp? NDRs are a huge source of spam and disabling most NDRs should hardly be concidered optional. In fact any ISP still arbitrarily sending them needs to have their head examined. But don't take my word for it....

    The inclusion of your mail server on SPAM related RBLs the constant pitter patter of disk accesses on the servers disk array coupled with the gigabytes of SMTP traffic logged by MRTG might indicate that yes...Its pry about time you too catch a clue and turn off NDRs.

    Mail servers as painful as it may be to them need to do as much as checking as humanly possible upfront and only send an NDR if there is a truely exceptional reason such as a disk array catching fire.

  33. I think that they are brute forcing it. by jfengel · · Score: 1

    Some of the spam to a domain I run came to addresses like this:

    pydh
    uuja
    cmap.ihnc

    I've got no idea where these came from. I never used such email addresses anywhere. Oddly, they're used repeatedly; it looks like somebody decided they were valid and then sold them.

    Another account had valid addresses "ma" and "ac". I'm quite certain that they couldn't have been harvested, because they were used only in very tightly constrained circumstances. I believe that they were picked randomly. They were replaced by longer email addresses and no spam shows up to those.

    And I've seen plenty of emails to "firstname" where that name has never had a valid email address, and it's clear that they're just guessing.

  34. I have an answer by Phroggy · · Score: 2, Insightful

    Congress needs to earmark funding for the FBI to prosecute spammers under CAN-SPAM.

    Yeah, whiners on Slashdot say CAN-SPAM is horrible, because it legalizes spam. What they forget is that CAN-SPAM only legalizes it under certain rules, which spammers are ignoring because there's no enforcement. According to this article from last year, only 0.27% of all junk mail actually complies with CAN-SPAM, which means the other 99.73% is clearly illegal. On top of that, the 0.27% is deliberately easy to filter out if you choose.

    We don't need a new law to make spam illegal; CAN-SPAM already makes it illegal. We just need to start actually prosecuting people who break the law.

    Yes, some spam comes from other countries where the FBI has no jurisdiction, but not as much as you might think, and I believe the FBI already has partnership agreements with agencies in several other countries to work together on fighting spam - they're just not doing enough of it.

    Why won't this happen without an act of Congress? Because without a direct congressional mandate, the FBI has better things to do with its time and money. I don't blame them, really - raiding meth labs or catching serial killers is certainly important. But fighting spam is important too, and there's no reason the FBI couldn't do both.

    So that's the answer. Spam is a social problem, more than it's a technical problem. We can try to fight it with technology, but spammers are fighting back, and they have the huge advantage of not being limited by morals or legality. We can't win with the odds stacked that high in their favor. The only way to win is to throw them all in jail.

    --
    $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
    $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  35. Fast, light effective filter by quist · · Score: 1
    Years ago at a small ISP small servers the bounce traffic would clog the mail queues. I added milters from snert.com. Anthony Howe's milter-sender package reduced the mail accept rate to roughly 25% of the pre-filtered levels. It is still in use on one of the mail domains that remains from those days. Today it often rejects 80+% of the incoming mail connections (mostly bot-spam). This means far less mail for your content filter (dspam, SpamAssassin, etc) to slog through. How that? What's it doing?

    Milter-sender uses a number of techniques:
    • call-back test of sending server (is it really a mailserver?)
    • valid RCPT address check
    • built in greylisting
    • white/black lists
    • ...more and features all adjustable
    ...but the main thing is the mail connection is vetted prior to start of the DATA section--rejects are dropped, no bounce backscatter, just a 4xx or 5xx DSN. Legitimate sender's still get a useful bounce message.

    Some of the SnertSoft milters are free, but the king-pin milter-sender, is a commercial product under a derivative BSDish license. Still, well worth the price.
  36. Internet Mail 2000 by Pseudonymus+Bosch · · Score: 1

    I wonder why we don't hear more about Internet Mail 2000, where storage is taken by the sender, not the receiver.

    --
    __
    Men with no respect for life must never be allowed to control the ultimate instruments of death.
    GW Bu