On Tue, 10 Apr 2007, J. wrote: > I didn't realize that most people are denying smtp connections for > bad addresses. That's great that this is possible. So most of the > people on this list reject connections that are for bad addresses? > That's great. I think that would cut down the spam we get by 90%. > I had no idea this was possible.
That's not *quite* what we're talking about. Sorry if this is a rehash of what you already know: Proper behavior is to check addresses *during* the SMTP conversation with the submitting MTA/MUA, and reject invalid/nonexistent address as the other guy submits them. If any valid addresses are submitted, the mail goes through. If no valid addresses are submitted, it is up to the *other guy* to take some action, such as notifying the sender the mail couldn't be delivered. The connection itself is not blocked or rejected, though you could set up a log watcher to detect IPs that continually submit bad addresses and firewall/tarpit them. A bulk spam mail tool will likely just ignore the "no such address" rejections, leading to no additional impact on innocent third parties. Contrast this with having your MTA accept the message for delivery, pass the message on down the chain, and then have some later step realize the address is invalid and generate a notice to the sender address that the message was undeliverable. You're now generating outbound mail based on a spam you received. This is bad. If the address was forged and nonexistent, your bounce will be rejected by the supposed sender's MTA; that's not as bad as actually delivering a bounce to a real user, but you're still generating pointless traffic to some innocent third party. Multiply that by the millions of messages in a typical spam run and you can get a DDoS against whatever address or domain was forged on the spams as the sender address. Rejecting the addresses during the SMTP conversation doesn't generate this extra traffic. Configuring your MTA to refuse to accept nonexistent addresses is typically a boolean option in its basic configuration settings, not something esoteric requiring complex addons. Any MTA that doesn't support this basic capability is badly broken by current standards. Some MTAs will also allow you to slow down the SMTP conversation (e.g. pause a few seconds before sending responses) if more than a few bad addresses are submitted, to mitigate against dictionary attacks. HTH. -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- Think Microsoft cares about your needs at all? "A company wanted to hold off on upgrading Microsoft Office for a year in order to do other projects. So Microsoft gave a 'free' copy of the new Office to the CEO -- a copy that of course generated errors for anyone else in the firm reading his documents. The CEO got tired of getting the 'please re-send in XX format' so he ordered other projects put on hold and the Office upgrade to be top priority." -- Cringely, 4/8/2004 ----------------------------------------------------------------------- 3 days until Thomas Jefferson's 264th Birthday
