[Mimedefang] Greylisting post-data (was Re: [PATCH] filter_data implementation)

- kd6lvw at yahoo.com
Thu May 28 16:17:29 EDT 2009

--- On Thu, 5/28/09, David F. Skoll <dfs at roaringpenguin.com> wrote:
> Date: Thursday, May 28, 2009, 7:26 AM Jeff Rife wrote:
> ...
> > What text, exactly, leads you to that conclusion?
> [RFC 5321] Section 4.3.2:
> ...
> Based on the indentation, I see the 4xx codes as acceptable only after
> "data" (ie, the final dot), while 421 is an always-available escape hatch.
> It's not very clear, though, and it's too bad that we on the RFC2821-bis
> mailing list missed that. :-(

I did not really note any change regarding this across RFCs 2821 -> 5321.
> > But all of the following make sense after "DATA", even
> though they aren't specifically listed:
> I agree, and an SMTP client SHOULD cope with them.

What the sum-total of the RFC means (at least to me) is that the only temp-error code that should ever be generated after a "DATA" command but before headers/body are transmitted is 421.  That means that a client program should have an expectation that no other code will ever be generated by a PROPERLY-BEHAVING server, but it should be prepared to handle anything.  A server that does generate something else does so because:

1)  It is misconfigured.
2)  It does not adhere to the standard.
3)  It is malware (includes spamware).

Regardless of the reason, detection of a different code (in my opinion) is cause to upgrade the error to fatal and generate an NDR for noncompliance (perhaps DSN 5.5.5 = "Wrong protocol version").  The NDR is proper in that, as the message passed any/all spam/forgery checks of the host that holds the message, it's not going to be (or should not be) backscatter.  If a future RFC/standard were to dictate another possibility to 421, then the version of the protocol has in fact changed and thus the 5.5.5 DSN would be accurate.

I think that only the extremely paranoid would care.  Then again, I kill messages that have improperly formatted "Received:" header lines.  (Those that claim "with *smtp*"(wildcarded) must conform to 5321 instead of the looser syntax in 5322 and as such, they must have "from" and "by" clauses that are domain names (or address literals).  If they don't, I reject them as malformed spam.  The only "false" positive (I don't really consider it false as it is noncompliant) is from some versions of Micro$oft Exchange which likes to say:  'from mail pickup service' or 'with microsoft smtpsvc'.  Within the permitted syntax, 'from "mail pickup service"' (note the double quotes) is the correct ABNF statement.  As much virusware tends to inhabit Micro$oft OS-based systems, I don't consider that a significant loss.  No reason not to punish those who can't follow the standards since many are spammers anyway.

More information about the MIMEDefang mailing list