spf-discuss
[Top] [All Lists]

Re: Latest proposal re HELO checking: make HELO tests optional

2004-03-11 22:33:32
On Tue, 2004-03-09 at 20:21 -0600, wayne wrote:
It is more than just "the potential".  Spam is far more likely to
trigger a bounce than legitimate email.

--David Woodhouse <dwmw2(_at_)infradead(_dot_)org> wrote:
It is definitely appropriate to say 'the potential'. What part of "only
when the primary MX host is actually down _and_ we receive mail for an
invalid user at the target domain which is not a cached negative" do you
not understand?


The problem with this is:
when the primary MX host is actually down

which assumes that spammers will not target the secondary MX, which is a known bad assumption. If you have any amount of volume of mail, you will be able to find sending clients that have talked only to your secondary and never even tried the primary, though it was up.

That is what Wayne meant by "it is more than just the potential" and from experience I would have to say I agree with him.


Using SRS on all your outgoing email is a way of protecting yourself
from people who think it is ok to send bogus bounce to innocent third
parties.

That includes everybody who I consider competent to run a mail server,
and that has been the status quo for years.


This has been discussed at length on SPAM-L (and probably other places). I even posted a suggested recipe that people can use to share the same virtusertable between the primary and secondary. The secondary should never accept mail that the primary would have rejected.

An "accept-then-bounce" strategy IS abuse. It is cost-shifting. Someone else can eat their crap mail and not complain, because you can't be bothered to configure both servers the same. It may have been common practice before, but general agreement now is that accept-then-bounce is considered harmful. If you can't configure the secondary correctly, consider not publishing a secondary at all.



Have you evidence to support this? I received a bounce from AOL only
yesterday. Actually it was a bounce which should have been avoided,
because one of their machines accepted a mail to invaliduser(_at_)aol(_dot_)com,
then only later decided to bounce it after another of their machines
rejected it. But a bounce nonetheless.


Um, yeah. Carl at AOL is working hard to correct all the accept-then-bounce situations, but it's going to be tough to reform all their MTA's to do this. But they are trying.

Many of the big boys will be slow to respond, as with anything.


If you think bounces are so bad, why don't you start rejecting all MAIL
FROM:<> ?


Strangely enough, I just started doing this for altavista.com - forged, bounced mail will now be rejected with a 454 message. Hopefully this will fill up the mail queues of irresponsible admins who accept-then-bounce.

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>


<Prev in Thread] Current Thread [Next in Thread>