[Mimedefang] [OT] Re: Clearing history for 63.216.184.10 - Useful Borderware Manager Discussion

Kevin A. McGrail kmcgrail at pccc.com
Fri Feb 2 10:33:27 EST 2007 

Chris:

Thanks for your reply.  I'll try and respond in detail and cc the MD List 
for more comments because they are the best group of people I've met for 
sounding out a myriad of issues related to email delivery in this day and 
age.

My first answer is that besides a manual configuration, MXtreme could do an 
MX lookup on the domain you are receiving and see if the host is a relay 
listed as a standard MX record if it's a local-host-name or allowed relay. 
This will allow you to automatically exclude "trusted" relays from your 
reputation system and could be cached based on the standard TTL settings for 
the domain.

At that point, the choice to utilize Backup MX's becomes a choice of the 
customer elected by DNS rather than something a person who may not know what 
they are doing has to set.

My second answer is that even with the above automation or manual 
identification of customers, I don't see how it would help.

Company X is down.  We queue mail for them.  When they come back up, 80% of 
the mail is then flagged for invalid recipient and our machine generates a 
proper RFC-driven NDR which goes back then to a potentially forged address 
of someone who is not related to us and happens to run your product.   It's 
not ideal and when things are working correctly, we do limit queuing to the 
extent possible.  However, in the end, backup MX's and NDRs are designed for 
when things are not ideal and something went wrong.  We cannot just ignore 
this and ignore NDRs.

My third answer on this is that just because NDRs are create by spammer I do 
not believe means people are reading them.  I would argue the vast majority 
are wasted emails that are caused by old mailing lists, joe-jobs and 
dictionary attacks.  I'd like to hear more if you believe they are actually 
using NDRs as a delivery method because it just doesn't make sense.  Most 
users don't know what one is, let alone know how to decipher it or get to 
the original email attached.  Therefore, other than annoying by volume, are 
NDRs an issue of actually being effective spam?  Your FAQ definitely leads 
me to believe this.

My fourth answer would be that IF you mark NDR's as SPAM then you implement 
a policy similar to AOL.

For example, we forward a LOT of email to AOL.  However, we do not 
fundamentally agree with any blocks for SPAM scores.  SPAM is in the eye of 
the beholder and FPs are a reality.

However, AOL DOES have a whitelist system and on top of that, they honor the 
X-Spam-Flag: Yes.  They, in fact, use this flag to automatically place the 
email into the users junk folder.

This doesn't cover my issue with the fact that AOL believes it's users too 
much as almost 100% of our "spam" feedback is legitimate mailing lists.  And 
I don't even mean legitimate marking mailing lists.  We are talking things 
like volunteer fire departments and internal mailing lists for Jerry's Subs 
and Pizza franchise members, Autism member organization lists, etc.  These 
people sign up and then use the "this is spam" as a "don't put this in my 
inbox" filter.  Argh!

But, I would argue you need a similar policy where if you are to hold NDRs 
against a company, you at least allow them to place and subsequently honor 
the X-Spam-Flag: Yes.  In short, "Yes, it's potential SPAM but the company 
is still going to deliver an NDR anyway" to exclude from the reputation 
system.

The problem with the end-result however is that spammers can simply put 
X-Spam-Flag: Yes into their headers and that's it.  For AOL, that's fine 
because it is filtered as junk mail automatically.  Therefore, I believe 
that if you made a change to MXTreme to utilize existing POSITIVE spam flag 
headers but ignore NEGATIVE headers (i.e. ignore X-Spam-Flag: No), and make 
it a user switchable option, you will A) save processor cycles if another 
box says it's SPAM, and B) be able to exclude it from the reputation 
measure.   Then those who run spam tests on NDRs can continue to do so and 
everyone is happy.  Of course, we'll have to figure out HOW to enable SPAM 
testing on NDRs but that is another issue.

Regards,
KAM

----- Original Message ----- 
From: "Chris Gabe" <chris at borderware.com>


> Yes no doubt.  We saw your post to mimedefang too.  We understand the pain 
> of NDR, oh do we ever.  The thing is, if over half the email is NDR spam, 
> well, trying to get people to stop it is arguably a whitehat initiative 
> too.  Over half the people that contact us don't know what NDR is, and 
> many manage to stop most of it.  If that's our first line defence, it's 
> not a bad one.
> The next question is though, you mentioned you are the backup mx for a 
> bunch of organizations.  There are facilities to deal with this in our 
> system.  Our customers can identify your ip as a relay and not report your 
> traffic.  If there's only a couple, we'd do that.  If there's many many 
> customers reporting you, we won't bother, we'd need to consider a 
> whitelist.  To date we only have about 10 such ip's (this is after a year 
> of this service running in thousands of customers).  Let us know your 
> thoughts.  There's more detailed information below but it sounds like you 
> know the scoop on things.

More information about the MIMEDefang mailing list