VeriSign SMTP reject server updated

ken emery ken at cnet.com
Sat Sep 20 18:34:17 UTC 2003


On Sat, 20 Sep 2003, Matt Larson wrote:

>
> Folks,
>
> One piece of feedback we received multiple times after the addition of
> the wildcard A record to the .com/.net zones concerned snubby, our
> SMTP mail rejection server.  This server was designed to be the most
> modest of SMTP implementations and supported only the most common
> sequence of SMTP commands.
>
> In response to this feedback, we have deployed an alternate SMTP
> implementation using Postfix that should address many of the concerns
> we've heard.  Like snubby, this server rejects any mail sent to it (by
> returning 550 in response to any number of RCPT TO commands).
>
> We would like to state for the record that the only purpose of this
> server is to reject mail immediately to avoid its remaining in MTA
> queues throughout the Internet.  We are specifically not retaining,
> nor do we have any intention to retain, any email addresses from these
> SMTP transactions.  In fact, to achieve sufficient performance, all
> logging has been disabled.
>
> We are interested in feedback on the best way within the SMTP protocol
> to definitively reject mail at these servers.  One alternate option we
> are considering is rejecting the SMTP transaction by returning a 554
> response code as described in Section 3.1 of RFC 2821.  Our concern is
> if this response effectively causes most SMTP servers to bounce the
> message, which is the desired reaction.  We are researching common
> SMTP servers' handling of this response code; at least one popular
> server appears to requeue mail after receiving 554.  Another option is
> remaining with the more standard SMTP sequence (returning 250 in
> response to HELO/EHLO), but then returning 550 in response to MAIL
> FROM as well as RCPT TO.
>
> I would welcome feedback on these options sent to me privately or the
> list; I will summarize the former.

Matt,

I think you haven't "gotten it".  I'm getting the message from you that
the changes made to the com and net gTLD's are fait accompli.  From the
message above it sounds like by changing your smtp server everything
will be perfect and back to normal on the internet.  The problem here
is by adding wildcard records Verisign has broken lots of software
(the internet is NOT just the web no matter what Verisign would like
one to believe).  Many spam algorithms have relied on the fact that
nonexitent domain names are one of the ways (and a very effective one
at that) to filter spam.  Other registrars do and nslookup on a domain
name when attempting to register and if this comes back positive then
the domain is considered taken.  Is Verisign expecting everyone else
to modify software which has been working for years (based on what
have been valid assumptions for well over a decade)?  This will cost
millions (if not billions) of dollars.  As those in the spam world would
say, "the collateral damage is very high for this type of change".
Is Verisign going to hold the internet hostage to its whims?

So let us know why exactly you should be able to redirect any protocol
you wish to your IP addresses if someone mistypes a domain.

I look forward to your response.

bye,
ken emery




More information about the NANOG mailing list