incorrect spam setups cause spool messes on forwarders
is the following a general problem, or just one i am seeing? note 2821 says 450 Requested mail action not taken: mailbox unavailable (e.g., mailbox busy) 550 Requested action not taken: mailbox unavailable (e.g., mailbox not found, no access, or command rejected for policy reasons) randy From: Randy Bush <randy@psg.com> To: foo@psg.com Subject: broken mail server Date: Mon, 1 Dec 2003 10:02:34 -0800 you have a .forward on psg.com pointing to foo.user@verizon.net. like all mail accounts these days, you get spam. but the forward, as opposed to rejecting it with a 5xx is deferring with a 450 (see below), which is not proper. this means that the spam stays in the queue here, which is just not reasonable. please do one of the following: o see that the verison server is fixed (good luck), o set your forward to a properly working server, or o tell me so i can kill your mail account here. randy 2003-12-01 10:09:05 1APbBa-000Ork-DY == foo.user@verizon.net <foo@psg.com> R=lookuphost T=remote_smtp defer (0): SMTP error from remote mailer after MAIL FROM:<nikkiadamczyk@gerbangmail.com> SIZE=5365: host relay.verizon.net [206.46.170.12]: 450 Requested mail action not taken-Try later:sc004pub.verizon.net
Randy Bush writes on 12/1/2003 1:10 PM:
is the following a general problem, or just one i am seeing?
Verizon does SMTP callbacks, connecting back to the MX of the envelope sender and trying to verify that the user exists
2003-12-01 10:09:05 1APbBa-000Ork-DY == foo.user@verizon.net <foo@psg.com> R=lookuphost T=remote_smtp defer (0): SMTP error from remote mailer after MAIL FROM:<nikkiadamczyk@gerbangmail.com> SIZE=5365: host relay.verizon.net [206.46.170.12]: 450 Requested mail action not taken-Try later:sc004pub.verizon.net
So this would connect to the MX of gerbangmail.com and try to verify that whatever@gerbangmail.com exists. gerbangmail.com. 5h55m6s IN MX 0 sitemail.everyone.net. If the MX (sitemail.everyone.net) doesn't respond fast enough for verizon, their tester times out, and the message gets 4xx'd. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Neezam Haniff writes on 12/1/2003 1:46 PM:
On Mon, 1 Dec 2003, Suresh Ramasubramanian wrote:
So this would connect to the MX of gerbangmail.com and try to verify that whatever@gerbangmail.com exists.
Out of curiosity, would you know offhand how they do the validation?
It is my job to know, I guess ... as other people's jobs here are to know which routes are flapping where. Mail filtering policies at an ISP can have quite unintended consequences on mail delivery from other ISPs. Especially ISPs that have a huge number of users with .forwards set to Verizon mailboxes. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
I personally haven't seen ANY validation, just an arbitrary block that's been in place for over a month without cause, reason, or even any ability to contact them. It appears nobody at verizon is at the helm anymore. I've tried several times to contact abuse, postmaster, etc, and even a couple people from this list gave me or forwarded my plight to internals with no results. Modwest is still being blocked. Perhaps not very operational in content though here... --On Monday, December 01, 2003 13:46 -0500 Neezam Haniff <nhaniff@ca.mci.com> wrote:
On Mon, 1 Dec 2003, Suresh Ramasubramanian wrote:
So this would connect to the MX of gerbangmail.com and try to verify that whatever@gerbangmail.com exists.
Out of curiosity, would you know offhand how they do the validation?
Neezam.
-- GPG/PGP --> 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E
In message <10021859.1070281409@d216-220-25-60.dynip.modwest.com>, Michael Loft is writes:
I personally haven't seen ANY validation, just an arbitrary block that's been in place for over a month without cause, reason, or even any ability to contact them.
Right. Assuming that the described validation scheme is, in fact, what's being used, you'd expect Verizon's mailer to retain and cache the validation. That way, a single 450 can be turned into a 200 series or a 550. As Randy said, 450 means "there's a problem here that should be fixed soon; come back later". If it doesn't change, it's not a 450. --Steve Bellovin, http://www.research.att.com/~smb
On Mon, 1 Dec 2003, Steven M. Bellovin wrote:
Right. Assuming that the described validation scheme is, in fact, what's being used, you'd expect Verizon's mailer to retain and cache the validation. That way, a single 450 can be turned into a 200 series or a 550.
Also imagine your domain being joe-jobbed. You, as an innocent bystander, then get hammered by Verizon as they try to do a lookup on possibly millions of incoming mails. It's just not a very sane way to reduce their spamload. It's something I'd expect from a smaller ISP, but I would have imagined by now that VZ would have the money to go with something like Brightmail, or develop something in-house like AOL. Charles
As Randy said, 450 means "there's a problem here that should be fixed soon; come back later". If it doesn't change, it's not a 450.
--Steve Bellovin, http://www.research.att.com/~smb
is the following a general problem, or just one i am seeing?
Verizon does SMTP callbacks, connecting back to the MX of the envelope sender and trying to verify that the user exists
2003-12-01 10:09:05 1APbBa-000Ork-DY == foo.user@verizon.net <foo@psg.com> R=lookuphost T=remote_smtp defer (0): SMTP error from remote mailer after MAIL FROM:<nikkiadamczyk@gerbangmail.com> SIZE=5365: host relay.verizon.net [206.46.170.12]: 450 Requested mail action not taken-Try later:sc004pub.verizon.net
So this would connect to the MX of gerbangmail.com and try to verify that whatever@gerbangmail.com exists.
gerbangmail.com. 5h55m6s IN MX 0 sitemail.everyone.net.
If the MX (sitemail.everyone.net) doesn't respond fast enough for verizon, their tester times out, and the message gets 4xx'd.
interesting but utterly irrelevant. the question was not how verison decided it was spam. the point was that their server returned a 450 as opposed to a 5xx (550 looks good), and this causes net damage. randy
Randy Bush writes on 12/1/2003 1:50 PM:
interesting but utterly irrelevant. the question was not how verison decided it was spam. the point was that their server returned a 450 as opposed to a 5xx (550 looks good), and this causes net damage.
They haven't yet determined that it is spam. So, RFC nitpicking wise, they are right. On the other hand, from a mail operations standpoint, I personally feel that sender verification, graylisting and other methods that rely on 4xx'ing email are a bad idea, as they makes things inconvenient for a whole lot of ISPs ... and because these emails have to be either 5xx'd or trashed sometime sooner or later. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
On Mon, Dec 01, 2003 at 10:50:51AM -0800, Randy Bush wrote:
is the following a general problem, or just one i am seeing?
Verizon does SMTP callbacks, connecting back to the MX of the envelope sender and trying to verify that the user exists
2003-12-01 10:09:05 1APbBa-000Ork-DY == foo.user@verizon.net <foo@psg.com> R=lookuphost T=remote_smtp defer (0): SMTP error from remote mailer after MAIL FROM:<nikkiadamczyk@gerbangmail.com> SIZE=5365: host relay.verizon.net [206.46.170.12]: 450 Requested mail action not taken-Try later:sc004pub.verizon.net
So this would connect to the MX of gerbangmail.com and try to verify that whatever@gerbangmail.com exists.
gerbangmail.com. 5h55m6s IN MX 0 sitemail.everyone.net.
If the MX (sitemail.everyone.net) doesn't respond fast enough for verizon, their tester times out, and the message gets 4xx'd.
interesting but utterly irrelevant. the question was not how verison decided it was spam. the point was that their server returned a 450 as opposed to a 5xx (550 looks good), and this causes net damage.
I think he's saying that they were unable to perform the validation hence the 450. If the validation was successful, they'd return a 200 series code, if it was unsuccessful, they would return a 500 series code. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
I think he's saying that they were unable to perform the validation hence the 450. If the validation was successful, they'd return a 200 series code, if it was unsuccessful, they would return a 500 series code.
nice words, but crap. due to needs to spool mail for sites in countries with very poor connectivity, mail spool time here is quite long. if verizon and others seem unable to decide in weeks, why should i pay the penalty? but, i guess the problem is easily solved with exim config. i have set it so that if it can not deliver to verizon in say one hour, it dumps the mail. verizon.net * F,1h,5m life is simple, except for verizon users i guess. randy
On Mon, Dec 01, 2003 at 11:10:16AM -0800, Randy Bush wrote:
I think he's saying that they were unable to perform the validation hence the 450. If the validation was successful, they'd return a 200 series code, if it was unsuccessful, they would return a 500 series code.
nice words, but crap. due to needs to spool mail for sites in countries with very poor connectivity, mail spool time here is quite long. if verizon and others seem unable to decide in weeks, why should i pay the penalty?
you should likely queue those other countries on a seperate machine dedicated to that purpose. this way one user/host site doesn't unduly cause significant impact to other sites/users. it's interesting you view the interpertation (which at least one other person views as correct) as "crap". this behaviour does seem to fit strict interpretation of the rfc in question.
but, i guess the problem is easily solved with exim config. i have set it so that if it can not deliver to verizon in say one hour, it dumps the mail.
verizon.net * F,1h,5m
life is simple, except for verizon users i guess.
this is the ability of a single host operator to make their own local policy decisions. you've both done what you feel is appropriate. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
this is the ability of a single host operator to make their own local policy decisions. which leads to the heat death of the net or allows the net to prosper, since policy is distributed rather than centralised.
consider verifying, or making any assertions about, or having any confidence in, the correctness of a universe of distributed and opaque policy. i once worked for an m&a isp which acquired some sixty+ small isps. my comment on the non-global thinkers in the acquisitions was "think locally, act globally." randy
jared:
this is the ability of a single host operator to make their own local policy decisions. randy: which leads to the heat death of the net joe: or allows the net to prosper, since policy is distributed rather than centralised. randy: consider verifying, or making any assertions about, or having any confidence in, the correctness of a universe of distributed and opaque policy.
to further amplify and make clear whose ideas i am stealing, let me quote tim griffin: The Interdomain routing system will enter a state of non- convergence that is so disruptive as to effectively bring down large portions of the Internet. The problem will be due to unforeseen global interactions of locally defined routing policies. Furthermore, no one ISP will have enough knowledge to identify and debug the problem. It will take nearly a week to fix and cost the world economy billions of dollars. The world press will learn that the internet engineering community had known about this lurking problem all along.... [ tim goes on to suggest how we might keep from getting in such a mess ] i suggest that we take this seriously. randy
(susan, this is in a spam related thread but i'm adding offtopic remarks which i think are actually in-charter for nanog. --pv)
Verizon does SMTP callbacks, connecting back to the MX of the envelope sender and trying to verify that the user exists
while something like RMX or MAILFROM would probably be a more robust alternative, verizon's actions are not irrational on a purely cost:benefit basis when the costs and benefits being measured are only their own. however, cost and benefit are not isolatable in that way, and folks who try to isolate them end up causing others to pile workaround on top of workaround until the whole system is just gum and mud. if verizon wanted to jointly sponsor a clearinghouse of email senders who had passed the callback test, with appropriate caching and error analysis and robust global mirroring, i'm sure that there would be other isp's and large e-mail carriers who would want to help, and i'm sure that authors of mail software, both opensource and not, would want to offer the feature of checking such a "ephemeral sender whitelist" (ESW?) but as long as verizon acts alone, they're just hurting themselves, and the overall system. consider what would happen if everybody did callbacks; first, what would happen to the load on the world's nonabusing mail servers, and then, what would the spammers do in response if this was effective? -- Paul Vixie
I think you will find that people who want to reject the spam but don't want to accidentally reject real mail will sometimes use 45x instead of 55x error codes. I know when i was rejecting spam at the SMTP layer I first started rejecting with 45x and watched my logs for those pesky false positives. there might be some thought about punish the disk space of those that are trying to deliver the spam to you ... - Jared On Mon, Dec 01, 2003 at 10:10:43AM -0800, Randy Bush wrote:
is the following a general problem, or just one i am seeing?
note 2821 says
450 Requested mail action not taken: mailbox unavailable (e.g., mailbox busy) 550 Requested action not taken: mailbox unavailable (e.g., mailbox not found, no access, or command rejected for policy reasons)
randy
From: Randy Bush <randy@psg.com> To: foo@psg.com Subject: broken mail server Date: Mon, 1 Dec 2003 10:02:34 -0800
you have a .forward on psg.com pointing to foo.user@verizon.net. like all mail accounts these days, you get spam. but the forward, as opposed to rejecting it with a 5xx is deferring with a 450 (see below), which is not proper. this means that the spam stays in the queue here, which is just not reasonable.
please do one of the following: o see that the verison server is fixed (good luck), o set your forward to a properly working server, or o tell me so i can kill your mail account here.
randy
2003-12-01 10:09:05 1APbBa-000Ork-DY == foo.user@verizon.net <foo@psg.com> R=lookuphost T=remote_smtp defer (0): SMTP error from remote mailer after MAIL FROM:<nikkiadamczyk@gerbangmail.com> SIZE=5365: host relay.verizon.net [206.46.170.12]: 450 Requested mail action not taken-Try later:sc004pub.verizon.net
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Dec 1, 2003, at 11:10 AM, Randy Bush wrote:
is the following a general problem, or just one i am seeing?
note 2821 says
450 Requested mail action not taken: mailbox unavailable (e.g., mailbox busy) 550 Requested action not taken: mailbox unavailable (e.g., mailbox not found, no access, or command rejected for policy reasons)
FWIW, there are now fake smtp tarpits out there that behave this way (4xx deferrals of suspected spam). http://www.benzedrine.cx/relaydb.html The idea is to "punish" spammers by filling up their queues, although honestly I don't know of any spammers who actually *have* queues. They just borrow other people's of course. I'm not sold on the wisdom of this course.
On Mon, Dec 01, 2003 at 12:52:28PM -0700, Michael Lewinski wrote:
The idea is to "punish" spammers by filling up their queues, although honestly I don't know of any spammers who actually *have* queues. They just borrow other people's of course.
Correct. More and more, anti-spammers are annoying me more than the spammers. Anti-spammers tend to "make my problem YOUR problem" thinking. Be it mangled sender addresses (this "NOSPAM" nonsense), be it 450 to suspected spam. Antispanners seem to be very easy in accepting collateral damage to the net. Regards, Daniel
telling spammers 4xx or 5xx doesn't matter, they don't listen. On Mon, Dec 01, 2003 at 09:18:21PM +0100, Daniel Roesen wrote:
On Mon, Dec 01, 2003 at 12:52:28PM -0700, Michael Lewinski wrote:
The idea is to "punish" spammers by filling up their queues, although honestly I don't know of any spammers who actually *have* queues. They just borrow other people's of course.
Correct. More and more, anti-spammers are annoying me more than the spammers. Anti-spammers tend to "make my problem YOUR problem" thinking. Be it mangled sender addresses (this "NOSPAM" nonsense), be it 450 to suspected spam.
Antispanners seem to be very easy in accepting collateral damage to the net.
Regards, Daniel
telling spammers 4xx or 5xx doesn't matter, they don't listen.
yes, but interestingly, every "smtp transport" (remote ip address who connects to your tcp/25 service) who ignores 5XX (which you can tell because they come back and try the same thing again over and over) is either a spammer or the output side of a proxy (which might be hard to detect). so it turns out that ignoring 5XX is like sending up a flare, "blackhole me!". -- Paul Vixie
participants (13)
-
Charles Sprickman
-
Daniel Roesen
-
Jared Mauch
-
Joe Abley
-
John Brown (CV)
-
Michael Lewinski
-
Michael Loftis
-
Neezam Haniff
-
Paul Vixie
-
Randy Bush
-
Steven M. Bellovin
-
Suresh Ramasubramanian
-
Valdis.Kletnieks@vt.edu