ietf-asrg
[Top] [All Lists]

[Asrg] Ban the bounce; improved challenge-response systems

2003-04-05 21:24:12
  Bounce messages are a relic from a kinder/gentler internet where
spammers didn't exist, and didn't forge innocent 3rd-parties' email
addresses into the "From:" or "Reply-To:" headers.  Maybe it's time to
depracate bounce messages.  Open relays were once considered good, but
spammers' abuse has caused them to be depracated.

  To continue providing delivery-failure info to legitimate senders, we
will have to use some variant of 4xx or 5xx reject messages.  This, of
course, implies that the internet-facing MTA will have be able to make
and carry out the decision to reject an email.  A clunky system that
blindly accepts all incoming email and passes it on to a second machine
for final disposition won't work.  If the second machine decides, for
whatever reason, to refuse the email, the only way it can send that
notification is via a bounce message.  And if a spammer has forged the
"From:" and/or "Reply-To:" header, innocent third parties get mailbombed.

  Current challenge-response systems share the major flaw of bounce
messages, i.e. they blindly accept the "From:" header as gospel.  So
instead of a spamrun resulting in a few angry responses from clueless
newbies who can't parse headers, it may draw a whole slew of challenges
from whitelist systems.  Then there's stuff like the tim(_at_)mailkey(_dot_)com
fiasco; nuff said.

  I have an account with an ISP with a hacked-up Qmail that parses
filter-config files in users' home directories right after the RCPT:
stage.  If the filter results in rejection, the email is rejected with a
550 code before the DATA: stage.  It is *NOT* bounced.  This ISP doesn't
participate in the mailbombing of innocent 3rd-parties.

  I didn't think of it as a challenge-response system at the time, but
for most reject messages, I include a URL to one of my home webpages
that has my current temporary unfiltered email address to bypass the
filters.  I assume that spammers use spamware and won't read, let alone
act on, 550 reject messages.  Real people trying to get in touch with me
will receive the 550 reject, along with the pointer to my bypass address
and can contact me that way.  A spam that gets rejected will result in a
550 to the sending MTA, not a bounce to an innocent 3rd party.  If
something breaks and asrg list messages get rejected, the list-manager
MTA will get 550's, rather than subscribers getting "tim(_at_)mailkey(_dot_)com"
messages.

  I do realize that there is a significant difference in scale between a
small ISP, versus AOL.  Looking up a RCPT: address amongst 30 million
main addresses (and who-knows-how-many "screen names") requires
significant hardware/software to do in a timely manner.  But it will
have to be done.  Otherwise other people, and entire ISPs, may be forced
to blockade in self-defense against biggies who mailbomb-by-proxy.

-- 
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
An infinite number of monkeys pounding away on keyboards will
eventually produce a report showing that Windows is more secure,
and has a lower TCO, than linux.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg