[89864] in North American Network Operators' Group
Re: Open Letter to D-Link about their NTP vandalism
daemon@ATHENA.MIT.EDU (Joe Maimon)
Tue Apr 11 11:30:52 2006
Date: Tue, 11 Apr 2006 11:30:08 -0400
From: Joe Maimon <jmaimon@ttec.com>
To: Matthew Black <black@csulb.edu>
Cc: nanog@merit.edu
In-Reply-To: <web-8459324@remus.csulb.edu>
Errors-To: owner-nanog@merit.edu
Matthew Black wrote:
>
> On Mon, 10 Apr 2006 23:23:06 -0700 (PDT)
> Matt Ghali <matt@snark.net> wrote:
>
>>
>> On Tue, 11 Apr 2006, Simon Lyall wrote:
>>
>>> Everyone here runs spam filters. Many times a day you tell a remote MTA
>>> you've accepted their email but you delete it instead. Explain the
>>> difference?
>>
>>
>> Hold on there. What you are describing is evil and bad, and I
>> certainly hope "everyone" does not do that.
>>
>> When I do not wish to accept a message, I do not accept it, rejecting
>> with an SMTP permanent delivery failure.
>>
>> Don't mean to go off on a tangent, but accepting and then silently
>> discarding mail is a terrible idea.
This is way OT.
Inline rejection -- best
Notification after the fact -- Worst, but sometimes unavoidable
Silent Disacard -- better then blanket notifications
Try to limit the second in preference for the first.
For anything in which your detection mechanism's accuracy is high
enough, you can probably perform the last without much worry.
>>
>> matto
>
>
>
> Are you suggesting that we configure our e-mail servers to notify
> people upon automatic deletion of spam?
Dont do that. Notify the recpient if anything. Unfortunately they may
learn to ignore such notifications, especialy if your system is fairly
accurate. I advise against such "quarantine;store;notify;wait;delete"
systems precisely because of this.
> Frequently, spam cannot be
> properly identified until closure of the SMTP conversation and that
> final 200 mMESSAGE ACCEPTED...or do you think that TCP/IP connection
> should be held open until the message can be scanned for spam and
> viruses just so we can give a 550 MESSAGE REJECTED error instead of
> silently dropping it?
Yes, a 550 after completion of DATA with <cr><lf>.<cr><lf> is perfectly
acceptable and preferable. Legit senders should hang around for the half
minute or so to receive 220, and illegits will tend to drop the
connection after being told 550.
>
> Because most spam originates from a bogus or stolen sender address,
> notification creates an even bigger problem. What's next: asking for
> permission to hang up on telemarketers?
I do that all the time with barely a no thanks. My wife complains that I
am rude to do so. I think not.
The problem is in the word "most". With regards to anti-virus, "most"
becomes "well upwards of 99%", and as such silent discard is more
acceptable.
>
> matthew black
> network services
> california state university, long beach
>
>
