Matthew Elvey writes:
Please read the whole email before responding.
This is a request for a particular kind of feedback from
experts/regulars on the issue of spam blowback (i.e.
Joe-jobs/backscatter due to forged MAIL FROM's) from Sieve-based
systems. There's some relevant work going on on
ietf-mta-filters(_at_)imc(_dot_)org(_dot_)
The IETF's SIEVE Working Group
<http://www3.ietf.org/html.charters/sieve-charter.html> is
modifying/updating the way scripts written in Sieve (the mail filtering
language) can handle messages to be refused/bounced/sent to where they
purportedly came from. The current method, as defined in the Sieve
standard (RFC 3028) is not good, IMO. It results in tons of spam
blowback/backscatter when the sender is forged, including when Sieve
scripts are part of a Challenge/Response system, or out-of-office
system, or spam-filtering system. I've gone through a great deal of
effort to remedy this; I've written several versions of an
Internet-Draft to fix the problem to a great extent; see refuse-reject
<http://www.ietf.org/internet-drafts/draft-ietf-sieve-refuse-reject-04.txt>,
which explains the problem and my solution in more detail to those not
familiar with the issue.
At the last Sieve meeting a few weeks ago (I attended remotely), it was
determined that there was a rough consensus among implementers who were
present (at least there was support from Alexey, Chris, and Philip; the
others abstained or did not support it) to keep the current behaviour as
the default. It was stated that Sieve is not used as part of
spam-filtering systems, and that the current behaviour was not causing
problems.
I've said that I regularly receive blowback from such systems (along
with tons of blowback from other kinds of systems), but I was the lone
voice. In my effort to fix Sieve the way I think it needs to be to best
address the problem, I could use some support for my argument.
NOTE: If you have expertise and can speak credibly and eloquently
regarding the impact of backscatter and/or provide statistics on
receiving backscatter from such systems, your feedback would be most
appreciated; the best forum for such feedback would be the Working
Group's mailing list <http://www.imc.org/ietf-mta-filters/> (you must
subscribe to post). If you just want to vent or yell semi-incoherently,
please don't. To date, the only support I've received has been
off-list, from Spamcop Forum regulars, e.g. Miss Betsy, and Wazoo:
http://forum.spamcop.net/forums/index.php?showtopic=7436
If you'd like to comment on the draft please join the list and post
THERE. E.g. the current draft doesn't discuss email authentication and
how it could be used.
It's not be possible to identify some such backscatter. If you get
backscatter that says, " Your message was automatically rejected by
Sieve, a mail
filtering language.", or is "From: Mail Sieve Subsystem
<postmaster[at]somedomain.dom>", it's coming from a Sieve-based system,
and that's what I want to hear about. (Though if it's not there, that
does NOT mean its wasn't from such a system.)
Unfortunately, I've just checked the 212 MB of backscatter I've
received since Sunday (seriously!) -- no signs here...
There's also an argument going on about whether to require that
Sieve-generated MDNs include the header of the refused message, in
order to help identify authorized senders for email from a domain. I
feel we should require that the full message header of the message being
returned (at least all those header lines that were on the message when
it was received) be included in the messages, an MXCOMP issue. This is
so that backscatter detection systems have something to work with.
Others disagree.
I strongly agree on this point.
SpamAssassin 3.2.0 will probably include an anti-backscatter ruleset, btw.
I'm viewing it as nearly as big a problem as direct spam, nowadays; the
DDOS effects of spam backscatter nearly took down my mailserver this past
weekend. :(
What about the Sieve drafts restricting reject DSNs/MDNs to senders that
authenticated using SPF/DK/DKIM? that would fix the problem and may
be more popular.
--j.
Questions? Post here or email me.
My most recent post:
http://thread.gmane.org/gmane.ietf.mta-filters/3328/focus=3328
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg