not bouncing philosphy

By default my postfix mail server sends an "unknown user" message
back to senders of emails to invalid users for my domain. I
understand this is not desirable because spam send to invalid
users (which is probably all of the invalid user addressed mail)
has forged sender addresses, so the error message is getting sent
to innocent third parties.

Just curious what the best way to handle them really is -
silently drop them?

Also, are there any other instances/philosophies where you
wouldn't, or maybe you should, send error messages? What are
they?

--
Troy Piggins
,-o
o ) Ubuntu linux 6.06 http://ubuntu.com RLU#415538 http://counter.li.org
`-o uptime: 07:56:18 up 17 days,13:25,2 users,load average:0.00,0.02,0.00

Re: not bouncing philosphy

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-12708-1159396319-0002
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Troy Piggins writes:

> By default my postfix mail server sends an "unknown user" message
> back to senders of emails to invalid users for my domain. I
> understand this is not desirable because spam send to invalid
> users (which is probably all of the invalid user addressed mail)
> has forged sender addresses, so the error message is getting sent
> to innocent third parties.
>
> Just curious what the best way to handle them really is -
> silently drop them?

Fix your broken server so that it doesn't even accept mail addressed to
nonexistent recipients. This is not rocket science. Even Verizon, with
millions of mailboxes scattered all over the place, can reject mail to a
nonexistent recipient nearly instantaneously.

RCPT TO:
550 5.1.1 unknown or illegal alias: nosuchuser87237887@verizon.net

> Also, are there any other instances/philosophies where you
> wouldn't, or maybe you should, send error messages? What are
> they?

Very simple: do not send bounces to external addresses in response to
externally-received mail.


--=_mimegpg-commodore.email-scan.com-12708-1159396319-0002
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBFGvvfx9p3GYHlUOIRAnTnAJ9CaVJsVO4UNJjDSVl5V8HlTEw1GwCf V2NP
jqoypshZ4/iliuYeJnVeiXA=
=Pzw0
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-12708-1159396319-0002--

Re: not bouncing philosphy

On comp.mail.misc, in <20060928075618@usenet.piggo.com>, "Troy
Piggins" wrote:

Hi Troy,

> By default my postfix mail server sends an "unknown user"
> message back to senders of emails to invalid users for my
> domain. I understand this is not desirable because spam send
> to invalid users (which is probably all of the invalid user
> addressed mail) has forged sender addresses, so the error
> message is getting sent to innocent third parties.

No. Most spammers take great care to avoid using possible real
return addresses in their spams. It just pisses people off and
causes trouble for them.

Try mailing a few, manually. Just hit Reply. You'll probably
get a bounce from _your_ MTA, or your ISPs. (you are probably
just using it to deliver mail to your ISP's MTA).

Do _you_ receive bounces from mails you never sent all the
time? Nope. No one does.

You have been duped by the spammers pretending to be spamfighters
who use that lie as one of their chief arguments against
Challenge-Response systems.

Never-the-less, blanket bouncing like that is bad idea.

>
> Just curious what the best way to handle them really is -
> silently drop them?

Of the two choices, yes.

Another reasonable one would be to put the mail through a
spam filter first, dumping obvious spam and bouncing only the
remainder.

That's what's done with Challenge-Response systems.

>
> Also, are there any other instances/philosophies where you
> wouldn't, or maybe you should, send error messages? What are
> they?

Running an MTA is a complex affair. I wouldn't bother trying
as a normal user. Better to just use msmtp to send your mail
to our ISP's MTA.

If you want to get an idea of just how complex a modern MTA
is, subscribe to the exim mailing list.

Alan

--
http://home.earthlink.net/~alanconnor/contact.html
http://home.earthlink.net/~alanconnor/cr.html
http://home.earthlink.net/~alanconnor/publickey.html

Re: not bouncing philosphy

On Wed, 27 Sep 2006, Sam wrote:
> Fix your broken server so that it doesn't even accept mail addressed to
> nonexistent recipients. This is not rocket science.

Although it is true that in the general case, it is not a good idea for
any server to accept mail addressed to non-existent recipients, there are
a (limited) set of cases where this is unavoidable.

There are still a few "small-i internet" gateways that accept mail that
will be transmitted over a non-IP path or other such link that does not
have continuous connectivity. In such cases, the only way that the SMTP
server can validate the recipient is if it has a complete directory of all
recipients that are served at the other end. This is often not feasible.

Legitimate cases for such gateways are becoming fewer and further between
as universal IP connectivity becomes the worldwide norm rather than the
exception. I, for one, will not mourn their extinction.

Nonetheless, they are not extinct yet.

It it is probably unnecessary for a site with normal IP connectivity to
behave as if it is serving up mail via 1200 bps dialups to some little
Third World twarf. It's certainly desirable to turn off small-i internet
support in your mailer unless it is absolutely necessary. But until the
legitimate need for the small-i internet has vanished small-i internet
implementations aren't broken. Yet.

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.

Re: not bouncing philosphy

On Thu, 28 Sep 2006, Troy Piggins wrote:
> By default my postfix mail server sends an "unknown user" message
> back to senders of emails to invalid users for my domain. I
> understand this is not desirable because spam send to invalid
> users (which is probably all of the invalid user addressed mail)
> has forged sender addresses, so the error message is getting sent
> to innocent third parties.

Correct; this is undesirable for the reasons you have stated. I receive
dozens of such error messages every day.

It would be better if your SMTP server rejected invalid recipients.

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.

Re: not bouncing philosphy

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-4087-1159407364-0002
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Usenet Beavis writes:

> On comp.mail.misc, in <20060928075618@usenet.piggo.com>, "Troy
> Piggins" wrote:
>
> Hi Troy,

Hi, Beavis!

> No. Most spammers take great care to avoid using possible real
> return addresses in their spams.

*SLAP*

Stupid Beavis. That's why my mail server currently have 1623 different IP
addresses blacklisted for bouncing spam.

> It just pisses people off and
> causes trouble for them.

*SLAP*

Beavis, exactly how did you come by your knowledge of what "most spammers"
do or to not?

> Try mailing a few, manually. Just hit Reply. You'll probably
> get a bounce from _your_ MTA, or your ISPs. (you are probably
> just using it to deliver mail to your ISP's MTA).

*SLAP*

The golden rule of comp.* hierarchy:

Whatever technical advice Beavis gives, the correct answer always lies 180
degrees to the opposite.

> Of the two choices, yes.
>
> Another reasonable one would be to point your fingers at me and laugh,
> because I was dropped on my head, as a child.

That's not the only reason for laughing at you, though.

> That's what's done with Beavis-Slapping systems.

Oh, there's more than one use for them.

>> Also, are there any other instances/philosophies where you
>> wouldn't, or maybe you should, send error messages? What are
>> they?
>
> Running an MTA is a complex affair. Of course, I have no clue
> whatsoever, concerning this topic, because I'm just a dumb
> Beavis on an analog modem dialup. But that won't stop me
> from flapping my gums and spouting clueless gibberish on the
> subject, hoping that my gobbledygook will impress someone.

Keep hoping, Beavis.

> If you want to get an idea of just how much of a Beavis I am,
> subscribe to alt.asshole.alan-connor.

Good idea.

> Beavis

*SMACK*

> --
> http://www.geocities.com/suhatrasabib
> http://www.pearlgates.net/nanae/kooks/ac/
> http://tinyurl.com/23r3f




--=_mimegpg-commodore.email-scan.com-4087-1159407364-0002
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBFGycEx9p3GYHlUOIRAr7RAJ0Qk3uiRklgE7arpLHSJKAb9cQj7gCe LkWg
z5WKAzuykUvm+Rf2bFXDTi8=
=qAkU
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-4087-1159407364-0002--

Re: not bouncing philosphy

* Alan Connor wrote:
> On comp.mail.misc, in <20060928075618@usenet.piggo.com>, "Troy
> Piggins" wrote:
>
> Hi Troy,
>
>> By default my postfix mail server sends an "unknown user"
>> message back to senders of emails to invalid users for my
>> domain. I understand this is not desirable because spam send
>> to invalid users (which is probably all of the invalid user
>> addressed mail) has forged sender addresses, so the error
>> message is getting sent to innocent third parties.
>
> No. Most spammers take great care to avoid using possible real
> return addresses in their spams. It just pisses people off and
> causes trouble for them.

I think that pissing people off is far from the small minds of
spammers!

> Try mailing a few, manually. Just hit Reply. You'll probably
> get a bounce from _your_ MTA, or your ISPs. (you are probably
> just using it to deliver mail to your ISP's MTA).
>
> Do _you_ receive bounces from mails you never sent all the
> time? Nope. No one does.

Yes. At work we've received 10 or so in the last fortnight.

> You have been duped by the spammers pretending to be spamfighters
> who use that lie as one of their chief arguments against
> Challenge-Response systems.
>
> Never-the-less, blanket bouncing like that is bad idea.

Yep.

>> Just curious what the best way to handle them really is -
>> silently drop them?
>
> Of the two choices, yes.
>
> Another reasonable one would be to put the mail through a
> spam filter first, dumping obvious spam and bouncing only the
> remainder.
>
> That's what's done with Challenge-Response systems.
>
>> Also, are there any other instances/philosophies where you
>> wouldn't, or maybe you should, send error messages? What are
>> they?
>
> Running an MTA is a complex affair. I wouldn't bother trying
> as a normal user. Better to just use msmtp to send your mail
> to our ISP's MTA.
>
> If you want to get an idea of just how complex a modern MTA
> is, subscribe to the exim mailing list.

s/exim/postfix/
:)

Thanks for the input.

--
Troy Piggins
,-o
o ) Ubuntu linux 6.06 http://ubuntu.com RLU#415538 http://counter.li.org
`-o uptime: 11:24:53 up 17 days,16:53,2 users,load average:0.04,0.03,0.00

Re: not bouncing philosphy

* Mark Crispin wrote:
> On Thu, 28 Sep 2006, Troy Piggins wrote:
>> By default my postfix mail server sends an "unknown user" message
>> back to senders of emails to invalid users for my domain. I
>> understand this is not desirable because spam send to invalid
>> users (which is probably all of the invalid user addressed mail)
>> has forged sender addresses, so the error message is getting sent
>> to innocent third parties.
>
> Correct; this is undesirable for the reasons you have stated. I receive
> dozens of such error messages every day.

Yes, as does my work :(

> It would be better if your SMTP server rejected invalid recipients.

So there's a way to reject messages to invalid recipients. I've
done some more testing of my "default" postfix setup. I sent an
email from work to an invalid email address at home, and got the
following message:

,----------------------------------------------------------- --------.
| |
| This Message was undeliverable due to the following reason: |
| |
| Each of the following recipients was rejected by a remote mail |
| server. |
| The reasons given by the server are included to help you |
| determine why |
| each recipient was rejected. |
| |
| Recipient: |
| Reason: : Recipient address rejected: |
| User unknown in local recipient table |
| |
| Please reply to |
| if you feel this message to be in error. |
| |
| Reporting-MTA: dns; omta05sl.mx.bigpond.com |
| Arrival-Date: Thu, 28 Sep 2006 01:38:17 +0000 |
| Received-From-MTA: dns; lowstump.dyndns.org (147.10.92.173) |
| |
| Final-Recipient: RFC822; |
| Action: failed |
| Status: 5.1.1 |
| Remote-MTA: dns; piggo.com (203.206.60.205) |
| Diagnostic-Code: smtp; 550 : Recipient address |
| rejected: User unknown in local recipient table |
| |
| Subject: |
| bounce me baby |
| From: |
| Troy Piggins |
| Date: |
| Thu, 28 Sep 2006 11:38:15 +1000 |
| To: |
| invalid@piggo.com |
| |
| -- |
| Troy Piggins |
| All your sigs are belong to us. |
'----------------------------------------------------------- --------'

So it appears that although a mail is being sent back to the
"sender", it comes from the _real_ sender's smtp server after the
message got rejected by my server. This would be the correct
action?

I imagine if a spammer is sending spam to an invalid piggo
address, the above rejection wouldn't go to the innocent, forged
sender address, it would go back to the spammer's smtp server?

--
Troy Piggins
,-o
o ) Ubuntu linux 6.06 http://ubuntu.com RLU#415538 http://counter.li.org
`-o uptime: 11:36:31 up 17 days,17:05,2 users,load average:0.00,0.00,0.00

Re: not bouncing philosphy

On comp.mail.misc, in <20060928112453@usenet.piggo.com>, "Troy
Piggins" wrote:

Troy,

> * Alan Connor wrote:
>
>> On comp.mail.misc, in <20060928075618@usenet.piggo.com>, "Troy
>> Piggins" wrote:
>>
>> Hi Troy,
>>
>>> By default my postfix mail server sends an "unknown user"
>>> message back to senders of emails to invalid users for my
>>> domain. I understand this is not desirable because spam send
>>> to invalid users (which is probably all of the invalid user
>>> addressed mail) has forged sender addresses, so the error
>>> message is getting sent to innocent third parties.
>>
>> No. Most spammers take great care to avoid using possible real
>> return addresses in their spams. It just pisses people off and
>> causes trouble for them.
>
> I think that pissing people off is far from the small minds of
> spammers!

There _are_ a lot of spammers who are idiots, but they don't last
long: They needlessly piss people off and find their domains
(MTAs) on blocklists at best, or are tracked down and prosecuted.

Good spammers have return addresses that go to spam dumps that
they empty out every hour or so with a local program. Yahoo and
such are popular for that purpose.

You can mail those addresses all day long and never get a bounce
and never receive a reply.

>> Try mailing a few, manually. Just hit Reply. You'll probably
>> get a bounce from _your_ MTA, or your ISPs. (you are probably
>> just using it to deliver mail to your ISP's MTA).
>>
>> Do _you_ receive bounces from mails you never sent all the
>> time? Nope. No one does.
>
> Yes. At work we've received 10 or so in the last fortnight.

That's not very many. I get one or so a week at my spam study box
(unprotected except by Earthlink's spamfilters), but half the
time they turn out to be spam disguised as bounces. You have to
check them out.

I only save the headers at that box, by-the-way.


>> Running an MTA is a complex affair. I wouldn't bother trying
>> as a normal user. Better to just use msmtp to send your mail
>> to our ISP's MTA.
>>
>> If you want to get an idea of just how complex a modern MTA
>> is, subscribe to the exim mailing list.
>
> s/exim/postfix/ :)

:-/

Postfix isn't open source, isn't used as widely as exim, and
I doubt very much whether it has a spam/troll free forum as
excellent as exim's mailing list.

Alan

--
http://home.earthlink.net/~alanconnor/contact.html
http://home.earthlink.net/~alanconnor/cr.html
http://home.earthlink.net/~alanconnor/publickey.html

Re: not bouncing philosphy

* Alan Connor wrote:
> On comp.mail.misc, in <20060928112453@usenet.piggo.com>, "Troy
> Piggins" wrote:
>> * Alan Connor wrote:
>>> On comp.mail.misc, in <20060928075618@usenet.piggo.com>, "Troy
>>> Piggins" wrote:
>>>
[snip]
>>
>> I think that pissing people off is far from the small minds of
>> spammers!
>
> There _are_ a lot of spammers who are idiots, but they don't last
> long: They needlessly piss people off and find their domains
> (MTAs) on blocklists at best, or are tracked down and prosecuted.
>
> Good spammers have return addresses that go to spam dumps that
> they empty out every hour or so with a local program. Yahoo and
> such are popular for that purpose.
>
> You can mail those addresses all day long and never get a bounce
> and never receive a reply.
>
[snip]
>>> Do _you_ receive bounces from mails you never sent all the
>>> time? Nope. No one does.
>>
>> Yes. At work we've received 10 or so in the last fortnight.
>
> That's not very many. I get one or so a week at my spam study box
> (unprotected except by Earthlink's spamfilters), but half the
> time they turn out to be spam disguised as bounces. You have to
> check them out.
>
> I only save the headers at that box, by-the-way.
>
>
>>> Running an MTA is a complex affair. I wouldn't bother trying
>>> as a normal user. Better to just use msmtp to send your mail
>>> to our ISP's MTA.
>>>
>>> If you want to get an idea of just how complex a modern MTA
>>> is, subscribe to the exim mailing list.

No doubt a full blown 1000, or 10,000 user server is quite
complex, but for my home network postfix is quite simple and does
way more than I will ever need. I only had to change about 5
lines of the conf file to get my own mail server working.

>> s/exim/postfix/ :)
>
> :-/
>
> Postfix isn't open source, isn't used as widely as exim, and

You can look at the source if you like:
http://www.postfix.org/download.html

> I doubt very much whether it has a spam/troll free forum as
> excellent as exim's mailing list.

Postfix I found very easy to install and understand. That's all.
My work server has exim but I've never timkered much with it.

--
Troy Piggins
,-o
o ) Ubuntu linux 6.06 http://ubuntu.com RLU#415538 http://counter.li.org
`-o uptime: 12:19:09 up 17 days,17:47,2 users,load average:0.00,0.02,0.00

Re: not bouncing philosphy

On comp.mail.misc, in <20060928121909@usenet.piggo.com>, "Troy
Piggins" wrote:

Troy,


>>>> Running an MTA is a complex affair. I wouldn't bother trying
>>>> as a normal user. Better to just use msmtp to send your mail
>>>> to our ISP's MTA.
>>>> If you want to get an idea of just how complex a modern MTA
>>>> is, subscribe to the exim mailing list.
>
> No doubt a full blown 1000, or 10,000 user server is quite
> complex, but for my home network postfix is quite simple and
> does way more than I will ever need. I only had to change
> about 5 lines of the conf file to get my own mail server
> working.

If it was sending out bounces for every mail addressed to
non-existence addresses at your domain, it wasn't working!

I hope your MTA isn't inadvertantly being run as an open relay.
That happens a lot with inexperienced users.

>>> s/exim/postfix/ :)
>>
>> :-/
>>
>> Postfix isn't open source, isn't used as widely as exim, and
>
> You can look at the source if you like:
> http://www.postfix.org/download.html

I checked that out thoroughly, reading through the FAQ.

You are right. But that wasn't the case a few years ago, because
I remember reading about it in the Debian package description. It
had to be given a special status as a package because of it.

That was why I decided to study exim.

Is a positive development.

>
>> I doubt very much whether it has a spam/troll free forum as
>> excellent as exim's mailing list.
>
> Postfix I found very easy to install and understand. That's
> all. My work server has exim but I've never timkered much with
> it.

I'm not clear on what your MTA's use is. Are you actually
directly on the Internet on port 25, or are you just using it to
accept mail from, and send mail to, your ISP's MTA?

If the latter is the case, you aren't going to be able to make
use of most of the features an MTA has to offer. The IP and TCP
headers will be stripped before you get the mail.

In the former case you'd be hammered by the spammers, more and
more as time goes by. What you posted about here would be just
the beginning of your challenges in this regard.

You have a popserver running? If not, install one and I will be
your first client (who will grin and bear all of your learning
mistakes :-). You'd need GSASL or TLS authentication on the
mailserver.

I promise not to use "Alan Connor" as my alias!

:-))

Alan

--
http://home.earthlink.net/~alanconnor/contact.html
http://home.earthlink.net/~alanconnor/cr.html
http://home.earthlink.net/~alanconnor/publickey.html

Re: not bouncing philosphy

* Alan Connor wrote:
> On comp.mail.misc, in <20060928121909@usenet.piggo.com>, "Troy
> Piggins" wrote:
>
> Troy,
>
>
>>>>> Running an MTA is a complex affair. I wouldn't bother trying
>>>>> as a normal user. Better to just use msmtp to send your mail
>>>>> to our ISP's MTA.
>>>>> If you want to get an idea of just how complex a modern MTA
>>>>> is, subscribe to the exim mailing list.
>>
>> No doubt a full blown 1000, or 10,000 user server is quite
>> complex, but for my home network postfix is quite simple and
>> does way more than I will ever need. I only had to change
>> about 5 lines of the conf file to get my own mail server
>> working.
>
> If it was sending out bounces for every mail addressed to
> non-existence addresses at your domain, it wasn't working!

I've yet to establish whether it's set up complying with RFC2821
and RFC2822 (if they /are/ the relevant RFCs), and/or whether
it's not working/broken.

> I hope your MTA isn't inadvertantly being run as an open relay.
> That happens a lot with inexperienced users.

It is most definitely not set up to open relay. It's disabled by
default on postfix, and I even checked it.

>>>> s/exim/postfix/ :)
>>>
>>> :-/
>>>
>>> Postfix isn't open source, isn't used as widely as exim, and
>>
>> You can look at the source if you like:
>> http://www.postfix.org/download.html
>
> I checked that out thoroughly, reading through the FAQ.
>
> You are right. But that wasn't the case a few years ago, because
> I remember reading about it in the Debian package description. It
> had to be given a special status as a package because of it.
>
> That was why I decided to study exim.
>
> Is a positive development.
>
>>> I doubt very much whether it has a spam/troll free forum as
>>> excellent as exim's mailing list.
>>
>> Postfix I found very easy to install and understand. That's
>> all. My work server has exim but I've never timkered much with
>> it.
>
> I'm not clear on what your MTA's use is. Are you actually
> directly on the Internet on port 25, or are you just using it to
> accept mail from, and send mail to, your ISP's MTA?

On my home machine I am directly open on port 25. I just set it
up like that, and use dyndns.org to keep my dynamic IP up to date
in their nameservers. It receives mail directly, but I actually
use my ISP's relayhost to send mail via. Hmm, I think I could
change that now...

> If the latter is the case, you aren't going to be able to make
> use of most of the features an MTA has to offer. The IP and TCP
> headers will be stripped before you get the mail.

Don't think so. That's how it has been set up for years - I used
fetchmail to download mail from my ISP's POP server. I could
read all the received headers etc. The problem was I couldn't
reject unknown users at the SMTP level, so I could only /dev/null
them.

Now I can reject them at SMTP level.

> In the former case you'd be hammered by the spammers, more and
> more as time goes by. What you posted about here would be just
> the beginning of your challenges in this regard.

So be it.

> You have a popserver running? If not, install one and I will be

Yes I do.

> your first client (who will grin and bear all of your learning
> mistakes :-). You'd need GSASL or TLS authentication on the
> mailserver.

:) sorry, family only. There are no single females left in my
family, so I don't like your chances of getting in.

> I promise not to use "Alan Connor" as my alias!

Hmm, kook@piggo.com isn't taken... :O)

--
Troy Piggins
,-o
o ) Ubuntu linux 6.06 http://ubuntu.com RLU#415538 http://counter.li.org
`-o uptime: 13:45:17 up 17 days,19:14,2 users,load average:0.00,0.00,0.00

[Kook] Re: Re: not bouncing philosphy