John D. Hardin wrote:
On Tue, 10 Apr 2007, J. wrote:
I didn't realize that most people are denying smtp connections for
bad addresses. That's great that this is possible. So most of the
people on this list reject connections that are for bad addresses?
That's great. I think that would cut down the spam we get by 90%.
I had no idea this was possible.
That's not *quite* what we're talking about. Sorry if this is a rehash
of what you already know:
Proper behavior is to check addresses *during* the SMTP conversation
with the submitting MTA/MUA, and reject invalid/nonexistent address as
the other guy submits them. If any valid addresses are submitted, the
mail goes through. If no valid addresses are submitted, it is up to
the *other guy* to take some action, such as notifying the sender the
mail couldn't be delivered. The connection itself is not blocked or
rejected, though you could set up a log watcher to detect IPs that
continually submit bad addresses and firewall/tarpit them.
A bulk spam mail tool will likely just ignore the "no such address"
rejections, leading to no additional impact on innocent third parties.
Contrast this with having your MTA accept the message for delivery,
pass the message on down the chain, and then have some later step
realize the address is invalid and generate a notice to the sender
address that the message was undeliverable.
You're now generating outbound mail based on a spam you received. This
is bad.
If the address was forged and nonexistent, your bounce will be
rejected by the supposed sender's MTA; that's not as bad as actually
delivering a bounce to a real user, but you're still generating
pointless traffic to some innocent third party.
Multiply that by the millions of messages in a typical spam run and
you can get a DDoS against whatever address or domain was forged on
the spams as the sender address.
Rejecting the addresses during the SMTP conversation doesn't generate
this extra traffic.
Configuring your MTA to refuse to accept nonexistent addresses is
typically a boolean option in its basic configuration settings, not
something esoteric requiring complex addons. Any MTA that doesn't
support this basic capability is badly broken by current standards.
Some MTAs will also allow you to slow down the SMTP conversation (e.g.
pause a few seconds before sending responses) if more than a few bad
addresses are submitted, to mitigate against dictionary attacks.
qmail, which i believe the OP was using is one of these "badly broken by
current standards" MTAs as you put it. By default, it accepts ALL mail
regardless of the validity of the recipient. It will then generate a
bounce to the (most likely) forged address when it figures out the
recipient does not exist. There are many addons/patches to correct this
behavior. I would check (using something other than IE)
http://qmail.jms1.net for general information and useful patches. And
more specifically, http://qmail.jms1.net/patches/validrcptto.cdb.shtml
which gives you the ability to reject invalid recipients at SMTP time.
-Jim
