a note to those who would automate their rejection notices

Paul Vixie paul at vix.com
Sat Dec 27 19:06:30 UTC 2003 

today AOL thoughtfully supplied the following to postmaster at vix.com:

  Peewee1isme at aol.com
    SMTP error from remote mailer after initial connection:
    host mailin-02.mx.aol.com [64.12.137.89]:
    554-(RLY:B1)  The information presently available to AOL indicates this
    554-server is generating high volumes of member complaints from AOL's
    554-member base.  Based on AOL's Unsolicited Bulk E-mail policy at
    554-http://www.aol.com/info/bulkemail.html AOL may not accept further
    554-e-mail transactions from this server or domain.  For more information,
    554 please visit http://postmaster.info.aol.com.

this was in response to what the e-mail community refers to as a "trivial
forgery", whose salient headers were:

   Return-path: <ediva.clapplz at vix.com>
   Received: from port-212-202-52-233.reverse.qsc.de
		([212.202.52.233] helo=1-online-poker-video.com)
	by mx01.qsc.de with esmtp (Exim 3.35 #1)
	id 1AQIw9-0000bF-00; Sun, 30 Nov 2003 05:11:58 +0100
   Message-ID: <0d7b01c3b6f8$814916c5$da62d340 at ifptblb>
   From: "Ediva Clapp" <ediva.clapplz at vix.com>

so once again we see, as in the case of the anti-virus rejection notices,
that my reward for having my domain name forged in spam that didn't come
from here, is to get mail from AOL telling me that they rejected it.  so,
i'll add this pattern to my own "drop silently" filters along with chaff
from symantec's products, network associates' products, and so on.

of the foundational principles which made the internet possible and which
made it different from alternatives such as OSI, very few remain.  one of
them was "must scale indefinitely".  a simple application of this principle
toward anti-virus and anti-spam automated rejection notices is to ignore
the envelope and ignore the header and just focus on the peer IP address:

   To: postmaster@[212.202.52.233]

would have been a better destination for this.  it's standards-compliant,
and if the sender isn't an open proxy then they'll be able to get it, and
it will not needlessly increase the collateral damage toward the holders
of domains that were forged.

"don't make me stop this car, kids."

...and to all a good night.

More information about the NANOG mailing list