a note to those who would automate their rejection notices

jlewis at lewis.org jlewis at lewis.org
Sun Dec 28 04:38:00 UTC 2003


On Sat, 27 Dec 2003, Paul Vixie wrote:

> today AOL thoughtfully supplied the following to postmaster at vix.com:

Did they really?

>   Peewee1isme at aol.com
>     SMTP error from remote mailer after initial connection:
>     host mailin-02.mx.aol.com [64.12.137.89]:
>     554-(RLY:B1)  The information presently available to AOL indicates this
>     554-server is generating high volumes of member complaints from AOL's
>     554-member base.  Based on AOL's Unsolicited Bulk E-mail policy at
>     554-http://www.aol.com/info/bulkemail.html AOL may not accept further
>     554-e-mail transactions from this server or domain.  For more information,
>     554 please visit http://postmaster.info.aol.com.
> 
> this was in response to what the e-mail community refers to as a "trivial
> forgery", whose salient headers were:
> 
>    Return-path: <ediva.clapplz at vix.com>
>    Received: from port-212-202-52-233.reverse.qsc.de
> 		([212.202.52.233] helo=1-online-poker-video.com)
> 	by mx01.qsc.de with esmtp (Exim 3.35 #1)
> 	id 1AQIw9-0000bF-00; Sun, 30 Nov 2003 05:11:58 +0100
>    Message-ID: <0d7b01c3b6f8$814916c5$da62d340 at ifptblb>
>    From: "Ediva Clapp" <ediva.clapplz at vix.com>

You didn't include much of the bounce, but from what you did include, I'm 
guessing this is similar to lots of spam bounces I've gotten.  
port-212-202-52-233.reverse.qsc.de originated the message (most likely via 
a trojan spam proxy/emitter thats infected it) and sent the spam through a 
local mail server, mx01.qsc.de.  mx01.qsc.de is actually the system 
blacklisted by AOL.  When it failed to deliver this spam to AOL, it tried 
returning it to the "sender", which likely landed the message in a 
catch-all email box at vix.com.

Assuming that's what happened, this isn't AOL's fault at all.

> them was "must scale indefinitely".  a simple application of this principle
> toward anti-virus and anti-spam automated rejection notices is to ignore
> the envelope and ignore the header and just focus on the peer IP address:
> 
>    To: [email protected][212.202.52.233]

That too will bounce.  I haven't checked, but I'd bet 
port-212-202-52-233.reverse.qsc.de (212.202.52.233) is an end-user running 
some flavor of Windows and does not run an SMTPd.

> "don't make me stop this car, kids."
> 
> ...and to all a good night.

When did this become SPAM-L?  This sort of thing's been talked about on 
several of the "other spam lists" for a few weeks since some spamware app 
started using "local MX's" as relays, likely to circumvent DNSBLs and 
outbound 25/tcp blocking.
 
We're all going to have to come up with patches or hacks to "rate-limit" 
outgoing email by originating IP, or things are really going to get ugly 
as ISPs start blacklisting each other's mail servers to stop this sort of 
relayed spam.
 
----------------------------------------------------------------------
 Jon Lewis *jlewis at lewis.org*|  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________




More information about the NANOG mailing list