On Sun, Jan 11, 2009 at 03:57:07PM -0600, Gordon Peterson wrote:
That's not really the issue. The issue is that people occasionally have
very legitimate need to send mail other than through their normal
channels, PARTICULARLY when away from the office (at home, perhaps,
although sending a mail that's work-related; from a library or airpport
public access terminal; at a customer location; and particularly when
traveling out of the country.)
All the more reason why operations that have such a need should plan
and build to meet it: webmail clients are accessible from almost
anywhere, and decent open-source ones are free and not particularly
difficult to set up. Yes, this leaves out the tiny number of
people in odd situations like cruise ships, but that's an edge case.
(And surely someone who can afford a cruise can also afford a satellite
link or similar if email is REALLY that important to them.)
The days when we could freely forge our own addresses into the envelope
for convenience are coming to an end. I don't like it much, but
it's just another aspect of the damage caused by spammers.
In this case, however, the overly-broad-brush of poisoning ALL traffic
transiting an IP address just because it has sent "some" unwanted or
malicious mail can create a GREAT deal of serious collateral damage.
1. There's no such thing as "collateral damage" because there's no such
thing as "damage" in this context. Please review the archives of this
list from spring 2008.
2. If an address is emitting abuse, then why should anyone accept
*anything* from it, until that situation has been addressed? (Which
includes not just fixing the immediate problem, but taking steps to
avoid a repeat occurence, and, I think, issuing a public apology
and explanation. It's the least that people responsible for such
huge amounts of damage [1] can do.)
Correct. The anti-virus filter should just swallow the message with no
complains nor notices. I don't know what RFC blesses that behavior,
though.
Incorrect. The receiving MTA should reject with an appropriate error
message. While it's much more likely that a malware filter will generate
a FN than a FP, it's still possible, and an error message will be helpful
in tracking down such situations. It might -- and I may be over-optimistic
here -- also help notify the originating site that it has a problem,
if they're paying attention to their own logs, and if they're not
doing it on purpose.
The more general principle here is that mail should never disappear into
a black hole. (This is one reason why I've argued strongly against
quarantines, which I consider a fundamentally broken concept.) We all
make mistakes, the systems we deploy make mistakes, routers break,
DNS fails, etc., and the best way to give ourselves a fighting chance
of diagnosing such problems is to generate appropriate error messages.
The costs of doing so are tiny, and the potential savings in wasted
human effort are large. (Yes, I know that some horribly-broken systems
mangle carefully-generated error messages. <sigh>)
It is very frustrating to get (sometimes hundreds a day) bounce messages
that come back to my domain (catch-all address mailbox) for e-mail
messages which *I* NEVER SENT, just because the spammers' From: address
used a counterfeit/bogus e-mail address forging one of my domains.
This is backscatter spam, which results when improperly-configured mail
systems run by incompetent mail system administrators fail to reject and
instead bounce them to the putative sender. Some DNSBLs will list hosts
for backscatter -- as they should, as it's just another variety of spam.
You might consider using one of those (if you're not already), and you
should definitely consider disabling all catch-all addresses, as they're
likely targets for DDoS attacks. [2]
---Rsk
[1] I think one reasonable metric for the monetary value of damage
can be constructed by considering junk fax statutes. Here in the US,
a single junk fax is valued at $500, amount tripled under some circumstances
(and doubled again in California). If we consider a mail server
compromised for a brief period of time (one hour) and emitting messages
at a very low rate (1 per second to 1 user each), that's a minimum
of $1.8M in damages. More realistic estimates easily reach into 9 figures.
[2] I don't know if there's broad community consensus on this, but I've
been routinely disabling all catch-all addresses anywhere I've been for
over a decade. Given the huge amounts of spam being sent to never-existed
and no-longer-existing addresses, it's not only a good way to deflect a
fair amount of junk mail, it can also be useful in detecting spammers.
(The failure of some purportedly-legitimate senders to display rudimentary
mailing list management skills -- that is, to remove recipients after
a sufficient number of rejects/sufficient period of time -- is quite
annoying. I've observed that most, but not all, "amateur" mailing lists
perform far better in this regard than supposedly-"professional" senders.)
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg