[Asrg] where the message originated

Rich Kulawiec rsk at gsp.org
Tue Jan 13 18:25:10 PST 2009 

I'm only going to tackle two of the many points contained therein.

On Tue, Jan 13, 2009 at 06:57:54PM -0600, Gordon Peterson wrote:
> First of all, ultimately the ONLY authority which TRULY determines FOR A  
> FACT whether a given piece of e-mail is unwanted or not is the final  
> recipient.

No, not really.  There are multiple authorities which may determine whether
a given message is accepted or not.  For example: it's possible that network
engineers have implemented the Spamhaus DROP list in the border routers of
a site, that systems engineers have used the NJBAL DNSBL in a mail
system's configuration, and that an end user has used a local filter
such as Spambouncer (which does not bounce, by the way).  Thus, the
logical AND of all three permissions is required before a message will
reach a user.

This is as it should be: network engineers are probably best positioned
to use effective mechanisms like the DROP list -- doubly so since best
usage of it encompasses more than just SMTP.  Morever, network engineers,
charged with the responsibility for implementing a comprehensive network
defense policy, may -- correctly in my opinion -- conclude that *regardless*
of what any end user wants, permitting traffic to/from networks on the DROP
list is a very bad idea.  Similar considerations apply to systems admins
and end users.

End users have been known to argue that this is a Bad Thing, because
they cannot get mail they want.  I counter-argue that deliberately
allowing them to receive mail from J. Random Well-Known spammer is
every bit as dangerous to them as deliberately allowing them to
receive the Outlook virus-of-the-day, or allowing known-malicious
packets to reach the network interface on their system.  End users
counter-counter-argue that this is fascist and draconian and etc.,
but usually decline the "opportunity" to be moved outside the
effective network perimeter and receive ALL mail, sans any spam
or malware filtering, and to be exposed to ALL network traffic.

And so on, endlessly goes the policy debate.  But my point is that
in most environments, there are multiple "layers", if you will, of
accept/reject decision-making going on, and while some of those 
layers may be based on criteria like "wanted", others may not be.
None of this is a problem to the rest of us -- nobody is obligated to
accept anyone's SMTP traffic -- as long as the accept/reject decision
is clearly communicated to the outside world so that can all tell what
the heck is going on.


> ...and particularly when the message contains neither virus nor spam,  
> and where I have not the slightest idea of who I would need to try to  
> contact (and where, or how) to solve the non-delivery problem.

It's been a best practice for a long time to arrange for every rejection
message to contain a human-readable string that gives some clue as to what
the problem was AND provides a means of resolving the problem, should
there be a mistake.  (This is in addition to the mandatory "postmaster"
address and the not-quite-so-mandatory-but-still-a-darn-good-idea
"abuse" address.)  Part of the problem here lies with broken mail
systems that either (a) mangle these strings or (b) substitute their
own, neatly undercutting the process.  Another part lies with end users,
who often cannot or will not take the time to read the rejection message,
or won't follow the instructions in it, or who presume that the
most likely possibility is not, perhaps, a history of spam from the
same mail system, or an errant filter, or a typo, but a personal
vendetta directed solely at them for no particular reason. [1]
And of course, most of the problem lies with mail systems that
don't even try to do this, or whose operators blithely presume
that their FP rate is 0%. [2]

Incidentally, consider how much worse this problem would get if
-- instead of returning a possibly-cryptic error message lacking
a recourse -- the recipient system simply discarded your message.

---Rsk

[1] See the Truthout & AOL debacle for an example, and note
the following for guidance in such situations:

	Vir: "Londo, they could have killed me!"
	Londo: "Nonsense, you are not important enough to kill."

[2] Maybe it's just me, but it seems that those using appliances
are particularly prone to this.  "But we paid a lot of money for it,
it can't be wrong", someone actually wrote to me.

More information about the Asrg mailing list