OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Incessant Bounces
From: Ronald F. Guilmette (rfgmonkeys.com)
Date: Tue Aug 22 2000 - 14:16:45 CDT

In message <v0422081bb5c87069cc10[195.238.1.121]>, you wrote:

>At 10:34 AM -0700 2000/8/22, Ronald F. Guilmette wrote:
>
>> I know from direct experience that quite a lot of spam gets sent out with
>> totally 100% bogus MAIL FROM domains,
>
> Not true. Because most sites these days implement the standard
>envelope sender DNS resolution techniques, most spam these days
>originates from bogus addresses at real sites.

Most, yes. But my spam traps indicate very clearly that there is still
a sizable, finite, and non-zero amount of spam that is being sent on a
daily basis (and even as we speak) that carries 100% bogus envelope
sender address domains.

>> and virtually zero legitimate mail
>> gets sent with bogus MAIL FROM domains,
>
> Also not true. At this relatively small site here, I daily see
>hundreds (sometimes thousands) of mail messages that were
>mis-addressed by a misconfigured client...

Those cases are relatively rare, and in any case, you are doing the sender
a favor when you bounce/reject such messages. Otherwise how will he ever
know that the return address he configured in hsi mail client is wrong and
that it will prevent him from seiing a lot of his own bounces?

>> However case (b) can also arise in cases where the DNS lookup error code
>> is `TRY_AGAIN', usually meaning that some timeout occured somewhere...
>
> Problem is, in virtually all of the situations where you *think*
>you could safely issue a 5xx permanent failure, it's also not too
>hard to create a situation where a transient error would mistakenly
>be perceived the same way, and the MTA just can't tell the difference
>between the two problems.
>
> Therefore, the MTA *must* take the conservative route (by
>default), and issue a 4xx response code instead.

I disagree with your use of the word `must' in this context.

> Doing what you recommend just is *not* safe, not even if you have
>the latest hardware, running the latest OS, and using the latest
>software (in the MTA, the resolver libraries, and in the nameserver
>themselves).

My only counterpoint is that e-mail itself is not ``safe''.

If I need to be absolutely positively sure that someone got a particular
message, I'll send a telegram, use FedEx, or pick up the phone.

You said it yourself... DNS can be flaky from time to time for no apparently
good reason. Why should e-mail be thought of as being any different?