[Top] [All Lists]

Re: RFC3463, 450 reply codes, and 4.7.1 extended codes.

2005-05-09 07:58:28

<Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu> wrote:

It was suggested to me that an SMTP server implementing greylisting
needs to return a descriptive code, and some variant on

450 4.7.1 You've been greylisted, try again later

is the "best fit" from RFC3463, which says:

      X.7.1   Delivery not authorized, message refused

         The sender is not authorized to send to the destination.  This
         can be the result of per-host or per-recipient filtering.  This
         memo does not discuss the merits of any such filtering, but
         provides a mechanism to report such.

Yep.  Stick a 4 on it to tell the other end that it's not authorized *now*,
but might be later, and we're ready to rock.  Unfortunately, there's one
final line to that description:

         This is useful only as a permanent error.

What's the general consensus here?  Is 4.7.1 in fact useful as a temporary
error in this case, or do we risk the wrath of the RFC wonks if stuff
deploys that uses that?

   It's pretty clear that the final line is merely an opinion: thus nobody
_should_ get uptight about you using it.

   Alas, I suspect the opinion may still be correct...

   What is the _benefit_ of telling a spammer you're greylisting him?


   Which brings to mind a related question: has anyone thought through
how to improve greylisting from a simple probability-of-temp-error?

   It's clear to me that simple probability encourages escalation; and
I very much dislike "solutions" which encourage escalation.

   My thoughts run along the line of keeping a database by IP address
of sending SMTP client with times of attempts, to check that we're
delaying long enough for IP addresses to get blacklisted. But it's not
clear how long that is; nor is it clear how we decide this _particular_
email has been delayed long enough. I find myself thinking of hashing
MAIL-FROM and RCPT-TO; and this starts looking _very_ unattractive.


John Leslie <john(_at_)jlc(_dot_)net>