Re: [Asrg] where the message originated (was: DKIM role?) (SM)

It is important to remember that many individuals and many smallcompanies use personal or "vanity" domain names.

These domain names appear in their "From:" and "Reply-to:" addresses ontheir outgoing e-mail messages, but SHOULD NOT be presumed to indicatewhere the e-mail in question is arriving from.

For example, I might be travelling somewhere and sending e-mail messagesfrom an inhabitual location: a cruise ship Internet cafe, an Internetaccess kiosk above a post office location in Beijing, a coffee bar, orother such public-access location. In such a situation, I willtypically have NO control over what outgoing mail server is sending mye-mail message, and since my being there is temporary I obviously don'twant to put a return address on my mail that would be connected with thelocation where I physically am at the time.

Another example is where a small company also uses a company domainname, although they might use very different mail handling for theiroutgoing staff e-mail messages (for example, which might go through anearby ISP, often for historical reasons) as compared to theirautomatically generated e-mails (example: invoices, price quotations,EFT transfer notices, and the like) generated by their back-officeaccounting systems... which might be sent directly by outgoing mailservers inside their NAT router.

We've several times been hurt by stupid antispam approaches which refuseperfectly legitimate e-mails because they don't like the IP address theyare coming from.

Another problem we have had is when we were sending company E-mailsthrough the outgoing mail server provided by our domain hosting company,and one of the (tens of thousands) of companies they were hostingdomains for apparently became infected and began sending messagescontaining a virus or something. The result was that ALL the companiesforwarding through that outgoing mail server became blocked, even thoughour company (and, I'm sure, most of the companies using that same sharedoutgoing mail server) was never infected or compromised.

While we're talking about the issue of antispam nuisances, another isthe situation where a spam blocker inadvertently serves as an "IPaddress laundering agent" when they bounce back a message detected ascontaining spam, or a virus. It is particularly stupid to bounce back amessage because it is detected to contain a virus WHICH IS KNOWN TOFALSIFY OR COUNTERFEIT THE RETURN ADDRESS! In that case, the spamblocker sending the 'bounce'/refused message does not know where theoriginal message was ACTUALLY sent from; commonly they will send thebounce message to the COUNTERFEIT "from" address (n.b. the address theoriginal spammer ACTUALLY wanted to send the message to!) only now, itarrives from a "clean" IP address (i.e. the IP address of the antispamblocker which "bounced" it) rather than from the IP address actuallyoriginating the message (which the actually intended recipient mighthave refused, based on the sender IP address). So now the unwantedmessage arrives at its intended destination, having "reflected" off aspam reflector and thus now with a "reputable" IP address. (True, it isnow shown as an "undeliverable/spam/virus" bounce, but a lot of peopleDO open such messages). ...ANYHOW, PARTICULARLY when a message is sentby a virus KNOWN to falsify origin addresses, it is NOT helpful to senda bounce message back to the "bogus" "origin" address indicated in themessage.

I have a folder here with probably something approaching a hundredthousand such bounces, caused by spam messages which were sent usingbogus/falsified addresses but counterfeiting one of my domains, andwhere these messages did not originate from any of my systems. Thepoint is that there is NO value in sending back a bounceback/refusedmessage unless you are SURE you know where it should be sent back to(i.e. who actually sent it). It's NOT enough to just believe the"From:" address.

Subject: Re: [Asrg] where the message originated (was: DKIM role?)
To: Anti-Spam Research Group - IRTF <asrg(_at_)irtf(_dot_)org>
Message-ID: 
<6(_dot_)2(_dot_)5(_dot_)6(_dot_)2(_dot_)20090109113345(_dot_)030d80d0(_at_)resistor(_dot_)net>
Content-Type: text/plain; charset="us-ascii"; format=flowed

At 13:05 08-01-2009, Franck Martin wrote:
on 4) for information there is this blocking list:
http://www.uceprotect.net/en/rblcheck.php?ipr=202.170.42.206
but it tends to block by AS number and in the above case, AS9241 isthe whole country of Fiji.
That shouldn't be a problem if you don't communicate with people from Fiji. :-)
Also as a note, I think dealing with high volume mail sender is notthe issue, they are known, we know their technics, etc... it is moreto deal with the long tail of little companies, organisations, smallISPs, etc..
Some receivers may view these small organizations as statisticallyinsignificant. These small organizations generally adopt antispampolicies without analyzing whether such policies can have a negativeimpact on them in future.
At 09:44 09-01-2009, Douglas Otis wrote:
White-listing based upon a domain would be dangerous without also
including the IP address of the SMTP client and message tracking.
There are companies currently providing this service, particularly
needed where spam remains largely unmanaged.
The question was whether it is important to note where the messagecame from. I take it that your answer is yes.
The algorithm can remain oblivious to who owns the SMTP client.  It
determines whether a conversation was observed, while also allowing
also users to submit corrections.
That only works as long as the two end-points for the conversationare static. Such a constraint is only acceptable to users until theymove around and experience a communication failure.
Regards,
-sm


--

Gordon Peterson II
http://personal.terabites.com
1977-2007:  Thirty year anniversary of local area networking
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg