Hello!
On Wed, Jan 12, 2005 at 02:58:12PM -0500, Stuart D. Gathman wrote:
[...]
[backscatter, i.e. bounces to faked original senders]
I detect this in my sendmail milter (http://bmsi.com/python/milter.html)
and issue this DSN:
self.setreply('550','5.7.1',
"I did not send you that message. Please consider implementing SPF",
"(http://spf.pobox.com) to avoid bouncing mail to spoofed senders.",
"Thank you."
)
Detection is somewhat involved. If you don't want to provide free dictionary
search to spammers, then you don't want to REJECT immediately on
RCPT TO for normal recipients. I set a flag and REJECT after SMTP DATA
for backscatter. Not ideal, but workable.
Especially as you still catch the traffic, and it might not combine
well, if multiple receivers are involved (but then, what do the
standards say to multiple RCPT TO if the MAIL FROM is empty?).
Like:
MAIL FROM: <>
RCPT TO: <a(_at_)your(_dot_)domain> ; this a isn't a signed envelope sender
or so
RCPT TO: <b(_at_)your(_dot_)domain> ; b *is* and the signature is valid
DATA
...
If you want to defer rejection, you can't reply 5xx to the first
RCPT TO. However, after DATA you can either reply 2xx but then you
accept the mail for *both* a and b, you can reply 4xx (but then you'll
be offered the same problem stuff again, soon), or you can reply 5xx
and thus, falsely, reject b(_at_)(_dot_)(_dot_)(_dot_) too.
Frankly, what information do you expose if you reject immediately
instead of in a delayed fashion which you don't expose anyway in other
ways?
Local usernames? They can be dictionary scanned by using a non-empty
MAIL FROM which is SPF unknown or pass, so you don't gain anything
from not exposing them (by using a different 5xx reply than if the
user wouldn't exist at all) if MAIL FROM is empty.
Kind regards,
Hannah.