North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Open Letter to D-Link about their NTP vandalism

  • From: Joe Maimon
  • Date: Tue Apr 11 11:32:12 2006



Matthew Black wrote:

On Mon, 10 Apr 2006 23:23:06 -0700 (PDT)
 Matt Ghali <matt@snark.net> wrote:

On Tue, 11 Apr 2006, Simon Lyall wrote:

Everyone here runs spam filters. Many times a day you tell a remote MTA
you've accepted their email but you delete it instead. Explain the
difference?

Hold on there. What you are describing is evil and bad, and I certainly hope "everyone" does not do that.

When I do not wish to accept a message, I do not accept it, rejecting with an SMTP permanent delivery failure.

Don't mean to go off on a tangent, but accepting and then silently discarding mail is a terrible idea.
This is way OT.

Inline rejection -- best
Notification after the fact -- Worst, but sometimes unavoidable
Silent Disacard -- better then blanket notifications

Try to limit the second in preference for the first.

For anything in which your detection mechanism's accuracy is high enough, you can probably perform the last without much worry.

matto


Are you suggesting that we configure our e-mail servers to notify
people upon automatic deletion of spam?
Dont do that. Notify the recpient if anything. Unfortunately they may learn to ignore such notifications, especialy if your system is fairly accurate. I advise against such "quarantine;store;notify;wait;delete" systems precisely because of this.

Frequently, spam cannot be
properly identified until closure of the SMTP conversation and that
final 200 mMESSAGE ACCEPTED...or do you think that TCP/IP connection
should be held open until the message can be scanned for spam and
viruses just so we can give a 550 MESSAGE REJECTED error instead of
silently dropping it?
Yes, a 550 after completion of DATA with <cr><lf>.<cr><lf> is perfectly acceptable and preferable. Legit senders should hang around for the half minute or so to receive 220, and illegits will tend to drop the connection after being told 550.

Because most spam originates from a bogus or stolen sender address,
notification creates an even bigger problem. What's next: asking for
permission to hang up on telemarketers?
I do that all the time with barely a no thanks. My wife complains that I am rude to do so. I think not.

The problem is in the word "most". With regards to anti-virus, "most" becomes "well upwards of 99%", and as such silent discard is more acceptable.

matthew black
network services
california state university, long beach