ietf-smtp
[Top] [All Lists]

Re: Bounce/System Notification Address Verification

2005-06-27 17:39:20


----- Original Message -----
From: "Ned Freed" <ned(_dot_)freed(_at_)mrochek(_dot_)com>

Wrong.  There is no prohibition that I'm aware of against using <> for
other purposes, and there are some standards that specifically require
using <> - e.g. MDNs and responses from mail robots, neither of
which are constrained to exactly one recipient.

FWIW, Keith is correct about this and I found this out the hard way.

Hi Ned,

I never said it was not.  I just agreed with Valdis in that there do exist
one limit behaviors.

We didn't imply it was not possible and I had already stated it was possible
for a system to operate in a post smtp recipient validation mode.

The fact is that they do exist (NULL return path, 1 RCPT TO) and our CBV
engineering covers it with an RSET option:

    UseRSET              True               ; Solves 1 RCPT limit for MAIL
FROM: <>

On an open ended basis the payoff is high to trap for such open-relay
operations.

[example valid story]

If you have a relationship or social/busines network, then I don't believe a
CBV should be done.  Like in your case, you had a special relationship.

The issue is Return Path Validation.

Standard/BCP operations: MAIL FROM:

1.  <>  --> no bounce needed
2.  <other address>  --> bounce possible. Address must be valid.

For the Return Path Validator (CBV) implementation:

3.  <>  --> skip CBV
4.  <postmaster @ domain>  --> skip CBV
5.  <other address>  -->  CBV possible. Address must be valid.

The CBV skips 3 for obvious reasons.  In our implementation 4 is skipped by
default:

    SkipPostMaster       True        ; If mail from postmaster, skip CBV

Now, at the remote site, for our CBV implementation, the optional open relay
test is done with a random address. If it is accepted, it is rejected.

    OpenRelayCheck       True
    RejectOpenRelay      True
    ResponseCodeRelay  552         ; Site is an open relay

Two years of implementation across thousands of systems, no complaints or
reports that has not been addressed.

Verizon.Net is a big ISP and they perform a CBV on every incoming
unauthorized transactions. But it does it immediately at MAIL FROM.  We wait
until RCPT TO is determined to reduce the overhead CBV need

Check out how Verizon.Net does using its MailPass server.

Here I telnet to verizon.net and I am going to have it verify my (good)
address:

220 sv19pub.verizon.net MailPass SMTP server v1.2.0 -
        013105113116JY+PrW ready Mon, 27 Jun 2005 18:01:13 -0500
helo hdev1
mail from: <hsantos(_at_)santronics(_dot_)com>
[1 second delay]
250 Sender <hsantos(_at_)santronics(_dot_)com> OK
quit
221 sv19pub.verizon.net closing connection

and here was the verizon.net CBV session captured on my end:

19:03:28 C: HELO sv19pub.verizon.net
19:03:28 S: 250 winserver.com, Pleased to meet you.
19:03:28 C: MAIL FROM:<>
19:03:28 S: 250 <>... Sender ok.
19:03:28 C: RCPT TO:<hsantos(_at_)santronics(_dot_)com>
19:03:28 ** WCX Process: wcsap  ret: -1
19:03:28 S: 250 <hsantos(_at_)santronics(_dot_)com>... Recipient ok
19:03:28 C: QUIT
19:03:28 S: 221 closing connection

and here is another session where it fails a bad user:

220 sv9pub.verizon.net MailPass SMTP server v1.2.0 -
        013105113116JY+PrW ready Mon, 27 Jun 2005 18:34:34 -0500
helo hdev1
250 sv9pub.verizon.net
mail from: <foobar(_at_)santronics(_dot_)com>
[1-2 seconds delay]
550 You are not allowed to send mail:sv9pub.verizon.net

and the CBV session on my end:

19:36:18 C: HELO sv9pub.verizon.net
19:36:18 S: 250 winserver.com, Pleased to meet you.
19:36:18 C: MAIL FROM:<>
19:36:18 S: 250 <>... Sender ok.
19:36:18 C: RCPT TO:<foobar(_at_)santronics(_dot_)com>
19:36:18 S: 550 User not a member of domain: <foobar(_at_)santronics(_dot_)com>
19:36:18 C: RSET
19:36:18 S: 250 Reset State
19:36:18 C: MAIL FROM:<antispam579542(_at_)west(_dot_)verizon(_dot_)net>
19:36:18 S: 250 <antispam579542(_at_)west(_dot_)verizon(_dot_)net>... Sender 
validation
pending. Continue.
19:36:18 C: RCPT TO:<foobar(_at_)santronics(_dot_)com>
19:36:18 S: 550 User not a member of domain: <foobar(_at_)santronics(_dot_)com>

Check out what VERIZON.NET is doing here in the CBV for a failed address.

If it is rejected, it issues a RSET and tries again with non-NULL MAIL FROM.

Useless on our system but I think if I remember, yahoo or hotmail, or some
other big site didn't like validating a user for a NULL return path.

Anyway, I think a open relay test has a payoff.  Exceptions can be
whitelisted.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com






<Prev in Thread] Current Thread [Next in Thread>