ietf-asrg
[Top] [All Lists]

Re: [Asrg] This is a request for feedback from experts/regulars to help reduce spam backscatter from Sieve implementations

2006-11-28 07:14:27

Matthew Elvey writes:
Please read the whole email before responding.

This is a request for a particular kind of feedback from 
experts/regulars on the issue of spam blowback (i.e. 
Joe-jobs/backscatter due to forged MAIL FROM's) from Sieve-based 
systems. There's some relevant work going on on 
ietf-mta-filters(_at_)imc(_dot_)org(_dot_)

The IETF's SIEVE Working Group 
<http://www3.ietf.org/html.charters/sieve-charter.html> is 
modifying/updating the way scripts written in Sieve (the mail filtering 
language) can handle messages to be refused/bounced/sent to where they 
purportedly came from. The current method, as defined in the Sieve 
standard (RFC 3028) is not good, IMO. It results in tons of spam 
blowback/backscatter when the sender is forged, including when Sieve 
scripts are part of a Challenge/Response system, or out-of-office 
system, or spam-filtering system. I've gone through a great deal of 
effort to remedy this; I've written several versions of an 
Internet-Draft to fix the problem to a great extent; see refuse-reject 
<http://www.ietf.org/internet-drafts/draft-ietf-sieve-refuse-reject-04.txt>, 
which explains the problem and my solution in more detail to those not 
familiar with the issue.

At the last Sieve meeting a few weeks ago (I attended remotely), it was 
determined that there was a rough consensus among implementers who were 
present (at least there was support from Alexey, Chris, and Philip; the 
others abstained or did not support it) to keep the current behaviour as 
the default. It was stated that Sieve is not used as part of 
spam-filtering systems, and that the current behaviour was not causing 
problems.
 I've said that I regularly receive blowback from such systems (along 
with tons of blowback from other kinds of systems), but I was the lone 
voice. In my effort to fix Sieve the way I think it needs to be to best 
address the problem, I could use some support for my argument.

NOTE: If you have expertise and can speak credibly and eloquently 
regarding the impact of backscatter and/or provide statistics on 
receiving backscatter from such systems, your feedback would be most 
appreciated; the best forum for such feedback would be the Working 
Group's mailing list <http://www.imc.org/ietf-mta-filters/> (you must 
subscribe to post). If you just want to vent or yell semi-incoherently, 
please don't.  To date, the only support I've received has been 
off-list, from Spamcop Forum regulars, e.g. Miss Betsy, and Wazoo:
http://forum.spamcop.net/forums/index.php?showtopic=7436

If you'd like to comment on the draft please join the list and post 
THERE.  E.g. the current draft doesn't discuss email authentication and 
how it could be used.

It's not be possible to identify some such backscatter. If you get 
backscatter that says, " Your message was automatically rejected by 
Sieve, a mail
filtering language.", or is "From: Mail Sieve Subsystem 
<postmaster[at]somedomain.dom>", it's coming from a Sieve-based system, 
and that's what I want to hear about. (Though if it's not there, that 
does NOT mean its wasn't from such a system.)

Unfortunately, I've just checked the 212 MB of backscatter I've
received since Sunday (seriously!) -- no signs here...

There's also an argument going on about whether to require that 
Sieve-generated MDNs include the header of the refused message,  in 
order to help identify authorized senders for email from a domain.  I 
feel we should require that the full message header of the message being 
returned (at least all those header lines that were on the message when 
it was received) be included in the messages, an MXCOMP issue.  This is 
so that backscatter detection systems have something to work with.  
Others disagree.

I strongly agree on this point.

SpamAssassin 3.2.0 will probably include an anti-backscatter ruleset, btw.
I'm viewing it as nearly as big a problem as direct spam, nowadays; the
DDOS effects of spam backscatter nearly took down my mailserver this past
weekend. :(

What about the Sieve drafts restricting reject DSNs/MDNs to senders that
authenticated using SPF/DK/DKIM?  that would fix the problem and may
be more popular.

--j.

Questions? Post here or email me.

My most recent post: 
http://thread.gmane.org/gmane.ietf.mta-filters/3328/focus=3328

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg