I hate to have to give a basic lesson on this stuff on, of all places,
the IETF mailing list, but it appears that some folks around here
don't know the details of of mail delivery.
Lots of people keep saying "Gee, well, exchange lets you turn off
sending out of office messages to the internet. That's the problem --
misconfiguration." Why is this next message NOT an example of
misconfiguration?
------- Start of forwarded message -------
From: "Klein, Ed" <EKlein(_at_)ciena(_dot_)com>
To: "Perry E. Metzger" <perry(_at_)piermont(_dot_)com>
Subject: RE: Denial of Service by Spamware?
Date: Fri, 29 Dec 2000 14:17:57 -0500
Ed Klein will be out of the office until January 2nd.
------- End of forwarded message -------
It is not an example of misconfiguration because I NEVER SENT ED KLEIN
A MESSAGE. I sent a message to an exploder. The exploder, which has a
SEPARATE, DISTINCT EMAIL ADDRESS, SENT THE MESSAGE. It is that address
to which any error or automated deliveries should be directed.
You see, in SMTP, we have a distinction between ENVELOPE and HEADER.
In the From: line in the header, the address <perry(_at_)piermont(_dot_)com>
appeared.
However, that address doesn't count for mail delivery
purposes. Consider the To: line -- it said "ietf(_at_)ietf(_dot_)org" in the
original message, and yet Mr. Ed Klein got the message. Obviously, the
To: line didn't tell the mailers where to deliver the message. The
From: line doesn't tell you where to deliver automated replies,
either!
The parts of this that count are not the From: and To: in the visible
message headers. They are the "MAIL From:" and "RCPT To:" transaction
lines in the SMTP exchange -- the so-called mail *ENVELOPE*. The
reason Ed Klein could get this message even though it was addressed
"To: ietf(_at_)ietf(_dot_)org" in the header was because it said his address in
the envelope. Similarly, in the envelope, the From: address was the
mail address designated to get bounce messages from delivery failures
and similar notifications, not MY address. *I* did not send the
message to Ed Klein, the mail exploder did.
The problem here is that some individual who designed Exchange's "out
of office" notification facility did not understand the distinction
between envelope and header. Other utilities which serve the same
purpose do the correct thing. They will bounce a message to the
envelope From: and not the header From:
(Some are even more intelligent than that -- they will note that the
envelope To: and message header To: (or Cc:) lines are not in accord,
indicating a mailing list delivery and not mail personally to the
recipient, and bounce NO MESSAGE AT ALL. However, we don't expect
intelligent implementation in this case -- just correct
implementation.)
All it is that many of us are asking about virus notifications,
vacation mail, etc. is that it go to the CORRECT place. Sure, it
shouldn't be sent at all, but if it is going to be sent, let it at
least be sent to the envelope From: and not the header From:.
There are a number of other issues, of course. Exchange frequently
does not tell you who a bouncing message was sent to (assuming that
naturally you'll just know -- the designer never considered mailing
lists), and often doesn't include the original message (making it
impossible to figure out what message caused the bounce). However, I
try to complain about only one serious flaw at a time.
Perry