Open Letter to D-Link about their NTP vandalism

• Previous message (by thread): Open Letter to D-Link about their NTP vandalism
• Next message (by thread): Open Letter to D-Link about their NTP vandalism
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matthew Black wrote:

> 
> On Mon, 10 Apr 2006 23:23:06 -0700 (PDT)
>  Matt Ghali <matt at snark.net> wrote:
> 
>>
>> On Tue, 11 Apr 2006, Simon Lyall wrote:
>>
>>> Everyone here runs spam filters. Many times a day you tell a remote MTA
>>> you've accepted their email but you delete it instead. Explain the
>>> difference?
>>
>>
>> Hold on there. What you are describing is evil and bad, and I 
>> certainly hope "everyone" does not do that.
>>
>> When I do not wish to accept a message, I do not accept it, rejecting 
>> with an SMTP permanent delivery failure.
>>
>> Don't mean to go off on a tangent, but accepting and then silently 
>> discarding mail is a terrible idea.

This is way OT.

Inline rejection -- best
Notification after the fact -- Worst, but sometimes unavoidable
Silent Disacard -- better then blanket notifications

Try to limit the second in preference for the first.

For anything in which your detection mechanism's accuracy is high 
enough, you can probably perform the last without much worry.

>>
>> matto
> 
> 
> 
> Are you suggesting that we configure our e-mail servers to notify
> people upon automatic deletion of spam?

Dont do that. Notify the recpient if anything. Unfortunately they may 
learn to ignore such notifications, especialy if your system is fairly 
accurate. I advise against such "quarantine;store;notify;wait;delete" 
systems precisely because of this.

> Frequently, spam cannot be
> properly identified until closure of the SMTP conversation and that
> final 200 mMESSAGE ACCEPTED...or do you think that TCP/IP connection
> should be held open until the message can be scanned for spam and
> viruses just so we can give a 550 MESSAGE REJECTED error instead of
> silently dropping it?

Yes, a 550 after completion of DATA with <cr><lf>.<cr><lf> is perfectly 
acceptable and preferable. Legit senders should hang around for the half 
minute or so to receive 220, and illegits will tend to drop the 
connection after being told 550.

> 
> Because most spam originates from a bogus or stolen sender address,
> notification creates an even bigger problem. What's next: asking for
> permission to hang up on telemarketers?

I do that all the time with barely a no thanks. My wife complains that I 
am rude to do so. I think not.

The problem is in the word "most". With regards to anti-virus, "most" 
becomes "well upwards of 99%", and as such silent discard is more 
acceptable.

> 
> matthew black
> network services
> california state university, long beach
> 
> 

• Previous message (by thread): Open Letter to D-Link about their NTP vandalism
• Next message (by thread): Open Letter to D-Link about their NTP vandalism
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]