OPERATIONAL Question - Spamblock protocol

Hi folks,

I have an actual, no-bullshit operational opinion question relating to
spamming and spamblocking :slight_smile:

I'm working on the "intelligent bounce" software here for our spamblocker.
Right now we don't support bounces for spamblocked messages, for the reason
that the headers are often forged and thus the cycles to do this are wasted
(or annoying the wrong person).

Also, queueing the bounce back through Sendmail is usually a *bad* thing to
do, because sendmail is way to aggressive in trying to deliver mail when you
really want to make one pass at it and then give up.

So I'm having the spamblocker dump the spam into a different place, where I
then pick it up and post-process it to try to send the bounces back.

The problem is the algorythm.

My options appear to be:

1) Go to the "From" line WITHOUT MX resolution, and deliver there.
  If it fails, go to the relay which connected to us and send to

  Advantages: We try to hit the exact machine the mail claims to
  be from. There's a good chance that if it DOES have an SMTP
  listener on it we'll get back a good reply to the RCPT TO command
  (either positive or negative).

  Disadvantages: Many sites don't run SMTP listeners on their machines
  which resolve to the domain name in the headers, and some don't even
  HAVE such a machine mapped with an "A" record to send to. This will
  send to abuse and postmaster where a real person might be reachable

2) Go to the From line WITH MX resolution. I've already figured out
  that hitting secondary MXs is a bad idea, for the simple reason that
  most of them will say "220" to anything in the domain they're
  secondarying for, and what you REALLY want is to get back 400 or
  500 errors if the username is forged (as it frequently is) so you
  can then hit the relay abuse address INSTEAD.

  Advantages: This follows most closely the real Internet standards
  practice. Its still not 100% complient, but again, we don't care if
  we're "wrong" in the area of failing to deliver one of these

  Disadvantages: The lookup time is non-trivial, and if the FROM line
  is forged you're going to harass the wrong person with the bounce.
  The second problem is particularly severe, since a "bad guy" can now
  pick on someone like "President@whitehouse.gov" and you're going to
  send the bounces to Mr. Clinton. Once its figured out what you're
  doing, now these spammers have a nice denial-of-service attack they
  can launch. This is already being done to some extent, and I'm not
  sure that its a good idea to give them more fuel.

3) Screw the From line and hit the relay site directly; try to deliver
  to the user there, and if it fails then hit abuse and postmaster
  instead. Don't bother trying to look up the From line on the
  premise that its forged anyway.

  Advantages: The relay site either has an SMTP server on it or it
  does not. If it does, then you just got to someone who SHOULD be
  able to put a stop to it. If it does not, then you're wasting your
  time ANYWAY, but you probably know about it almost immediately when
  it comes back with an RST to your SYN. If its some jerk on a dialup
  dynamic address account you'll probably time out (unless someone
  else is on the IP number now, in which case you get an RST) but
  again, its reasonably fast.

  Disadvantages: The user who sent the spam will frequently not get
  notified. If your spamfilter blocks a legitimate user, you may
  never get notification to that person using this method.

In any case, if I fail to deliver the bounce on the first attempt I'm going
to ditch it and NOT retry. Its not a big deal from my point of view if you
don't get back every one of the 452,223 spams you send me - - if I return
450,000 of them that's enough :slight_smile:

The intent here is to do the following:

1) Alert the real sender if we can reasonably reach the person.
2) Alert the relay owner if they were relayed through without knowing
  about it (and pressure them to fix it - pronto!)
3) If we can't do either right away, toss the bounce on the floor
  on the premise that its better to give up than keep screwing around
  and clog up the pipeline.

What do the rest of you here think? Option (1) doesn't look very sound; the
fight right now is between (2) and (3).