DynDNS Drops Non-Delivery Reports

jetkins writes "In an email to subscribers, DynDNS announced that they will no longer deliver locally generated non-delivery reports (NDRs) from any MailHop systems. MailHop is a multi-faceted service offering in- and outbound relay services, spam and virus filtering, and store-and-forward buffering. DynDNS makes it clear that they are aware that this goes against RFC 2821 Section 3.7, but explains that in their opinion the increase in spam volume, and the use of NDRs as a spam vector, means that the value of NDRs is now far outweighed by their potential for harm. (DynDNS also points to the far greater reliability of email systems now than when the RFC was approved.) The company notes that other ISPs have quietly dropped RFC 2821-compliant NDRs. Will their public move start a flood (mutiny) of ISPs following suit? Should they have made efforts to have the standard changed instead of defying it?"

Finally, a service provider with a clue...

[Eggplant62 (120514)]

Well, seeing as how a friend and I have a client who's being bombarded by NDRs as a result of a joe-job on the client's domain name, it's good to know that DynDNS is copping a clue. Too bad you can't get the rest of the ISP gang on board that easily and that quickly.

Re:Finally, a service provider with a clue...

[jetkins (1049838)]

A large proportion of Joe Jobs are made possible by lame endpoint SMTP servers which accept incoming mail, close the connection, then check to see if the recipient is valid, and generate an NDR to the address specified in the headers, which are too easily forged.

A properly-configured endpoint server should check addressee validity during the SMTP exchange, and reject the transfer before it even gets into the system, so the spammer's attempt goes nowhere and "Joe" doesn't get an unwarranted NDR.

Of course that doesn't help proxy providers like DynDNS, unless they have some way of authenticating their clients' valid addresses in real time via a direct connection or regular updates.

Re:

[morcego (260031)]

Isn't it time we changed something. Amended or created a new RFC, or design mail servers that don't talk to poorly implemented servers.

"If you think you can create a foolproof system, you are one of the fools" - No idea who I'm misquoting.

Re:

[morcego (260031)]

My suggestion is not to try and create a "perfect" RFC, but to create one flexible enough where you can fix stuff as it appears. Specially something that is backward compatible with what we have today.

We already moved from SMTP to ESMTP. Maybe we can go a step further, with, I don't know, ASMTP or whatever you want to call it. Then impose extra controls on messages that arrive via SMTP or ESMTP.

In any case, there is absolutely nothing we can do about zombies, unless you want to implement some kind of "are y

Re:Finally, a service provider with a clue...

[totally bogus dude (1040246)]

Bunk. Even if it was true, it's still no excuse for ignoring your responsibilities.

I run the mail servers for several domains, and brute-force attacks just don't happen. It's fairly obvious why, if you think about it. Dictionary attacks against common names are possible, but I've not seen evidence to suggest that's happening.

Firstly, I want to get back to "responsibilities". By this I mean that anyone who's connected to the internet has a basic responsibility to make at least a good-faith attempt to prevent their system being used against other people. This goes doubly for people who intentionally run publically accessible servers (e.g. mail servers and web servers). You should treat any mail system which indiscriminately generates NDRs the same way you'd treat an open relay, because that's effectively what it is. You are deliberately making a server available which will accept mail from anyone on the internet, and send it to anyone else on the internet*. This is reckless irresponsibility.

* - most NDR messages include at least part of the original message's text; at the very least, the subject line. So a system which generates backscatter does in fact carry some payload chosen by an anonymous third party.

Even if brute-force attacks on your mail server's address list do occur, there are ways to mitigate the effects of it that don't turn your system into a spam engine.

Having a look through the last 48 days logs on one of my servers, there's 2,308 addresses which were rejected because they're non-existent. The vast majority are either formerly valid addresses (i.e. of people who used to work here), or slightly mangled versions of valid addresses (presumably badly parsed). Particularly common are things starting with "3D" (presumably parsed from quoted-printable data which contains =3D) or people's surnames (smith@example.com) -- our email addresses are in the format firstname.lastname@example.com, and it would appear that some harvesters consider periods before the @ to be invalid.

The second part highlights why brute-force is impractical: the namespace before the @ is absolutely massive, and only a tiny fraction will be valid addresses. If you have no idea what format email addresses in the target domain take, you have no choice but to try everything, and that will take far longer than a week. Add to this the proliferation of very small domains with only a handful of email addresses (i.e. personal domains, promotional domains). Even with a vast botnet, trying to harvest addresses by brute force against a mail server is so horribly inefficient as to not be worthwhile. There's much easier ways to harvest addresses.

Then there's technical issues with that kind of harvesting. First, any reasonable mail server will start responding slower to a client which is making repeated errors, before finally shutting them off. This means you have to make lots of connections. Second, brute force or dictionary attacks stick out like a sore thumb versus normal mail traffic, making it trivial to block any IP which is trying to harvest addresses in this manner. The only possible way to do these sorts of attacks would be to use a vast distributed botnet, and even then it's not going to work. It would be easy (and fun) to build a system that watches for such attacks and blacklists any IP involved. Anyone harvesting in this way would then be betraying the IPs of most of their bots during the harvest! Then there's lots of clever things one can do: once you have a known harvester, start okaying its invalid addresses and add them to your list of spamtraps. Not only is the spammer not collecting any valid addresses, but you're poisoning their address list!

Brute-force attacks are too easy to detect, and too easy to use against the attacker. There's much, much easier and more efficient ways to harvest email addresses. Possibly it could be used if you're targeting a specific company or domain and can do some research into their configuration, but even then there

Re:

[r3g3x (1147243)]

Well, seeing as how a friend and I have a client who's being bombarded by NDRs as a result of a joe-job on the client's domain name, it's good to know that DynDNS is copping a clue

Ignoring a problem isn't the same as fixing it... NDRs serve a useful purpose assuming the original message was actually useful. The problem isn't sending out NDRs. The problem is sending an NDR in response to spam!

I've had to deal with the whole joe-job+NDR+DDOS scenario on several occasions... I have found that 65~80% of th

Re:

[Warbothong (905464)]

Just as an issue to note, I sent somebody a relatively important email recently from my Gmail account (accessed using Evolution via POP3 and SMTP). Around a week later I was at someone else's house and couldn't be bothered set my laptop up with their wireless system (their network is encumbered by encryption algorithms) so I used Google's webmail system to check my email. Sitting in the 'Spam' folder was a failed delivery notice from the important email I'd sent earlier (turns out the address I had used had

What I'd like to see...

[SomeJoel (1061138)]

In addition to not providing NDRs, it would be great if the ISP took the following approach: If 5 or more non-deliverable messages to different addresses within the ISP's domain are received within a period of 10 minutes, then the sender's IP address should be blocked for a period of 24 hours. That, I think, would do a small bit to slow down the spam.

Re:What I'd like to see...

[AuMatar (183847)]

And kill mailing lists. Not all mass mails are spam.

Re:

[Chyeld (713439)]

as well as providing a fairly simple manner of performing DOS against a domain, simply spoof your way into seeming to be their mail server and slam in the garbage.

Re:

[profplump (309017)]

That's a non-trivial attack though -- it's not as though you can send mail with uni-directional traffic.

In order to spoof a remote IP address you'd have to basically have to share a wire someplace between the mail server and your spoofing target, or exploit some secondary flaw on a router/host along that same path. It could be done, but there are easier ways to DoS, and most of those ways are effective beyond the single-host-to-single-mailhost-for-mail-service-on ly scope that is targeted with the attack y

Re:

[adminstring (608310)]

Here's an example of how mailing lists can be useful: I'm into music and bicycles, and I get periodic emails from several online vendors of music and bike gear letting me know what specials they are having, and quite often I see something I like in these emails, so I click a link and go shopping. I opted in to these mailing lists, and they help me find deals I wouldn't otherwise be aware of.

I wouldn't probably think to check a forum for an announcement on a free-shipping sale or a closeout on last year

Re:

[wiredlogic (135348)]

This scheme would be useless against a distributed botnet attack.

RFC-Ignorant.org

[nagora (177841)]

I did this some time ago for the same reasons and the wankers at RFC-Ignorant.org put my home email server on their blacklist. The twats argued with me that NDRs are such a vital part of email that any amount of spam was a price worth paying for maybe one NDR a year.

Stupid bastards.

Re:

[by Anonymous Coward]

What's needed is for servers to start determining immediately whether they can deliver the mail or not and respond to the sender with an appropriate error code if not, instead of sitting on it for a few hours and then creating a bounce message. This can even work over multiple hops if the sending server isn't an open relay, the destination server replies to your ISP's mailserver with "550 Cant send shit captain!", and leave it up to your ISP to decide to retry, generate a bounce to you (which it should hav

Re:

[Jeff DeMaagd (2015)]

I don't see the point in dogmatically upholding a rule for its own sake. If a rule doesn't always make sense, then change it. An RFC for RFC's sake doesn't do us any good unless the principles in it are still a good idea. Having said that, I think RFCs in general a bit baffling, harder to comprehend then legislation.

Re:

[Applekid (993327)]

If a rule doesn't always make sense, then change it.

So I wonder, why DynDNS and the others are just doing it without going through the effort of having it changed?

It's easier to get forgiveness than permission, I suppose.

Re:

[fm6 (162816)]

You're an evil person! I'll bet your whois record doesn't even have your correct email and phone number!

Re:

[flabbergasted (518911)]

Why are you accepting a message for a nonexistent user in the first place? As soon as the sending SMTP connection specifies RCPT you should be able to check if it is valid and terminate the connection if it is for a nonexistent user. This can all be done before the DATA command is issued. Why waste cycles virus scanning, spam screening and bouncing a message for a user you don't even have? You're not just RFC ignorant, you're ignorant of how to properly run a mail server!

Note that the method above get

Re:

[plague3106 (71849)]

That's a great way to determine VALID accounts to spam.

Re:RFC-Ignorant.org

[fimbulvetr (598306)]

That's a great way to determine VALID accounts to spam.

A lot of people bring up this point, but it's only ostensibly helpful anyway. The resources you save from not verifying an address are _quickly_ eaten up by the fact that you're queueing messages for invalid addresses on your domain at oftentimes insane rates. Pretty soon, your lame server is going to start to deliver these zillion+ NDRs and not only ruin the rest of your day for your users by stealing bandwidth and mail server resources, but also for many, many other people on the internet who need to delete the 80+ NDRs you sent them.

So USE that information.

[khasim (1285)]

Yes, the spammer can determine whether it has a valid account. But that means ...

#1. The spammer already HAS the account name and is checking to see if it still works. Defeat this by generously distributing SpamTrap accounts. And accepting email to them. And then opt'ing out of the email that they receive.

#2. The spammer is trying to guess a new name. Good luck with that. Sure, maybe SOMEWHERE there is an email account of "frank@example.com" but good luck finding it. If you want to have some FUN, watch your logs for examples of this. Then setup some of them as SpamTraps. And follow #1 above.

I use both of these approaches. It makes filtering spam VERY easy.

Re:

[dondelelcaro (81997)]

That's a great way to determine VALID accounts to spam

If someone is going to pull off a dictionary attack against the SMTP server, then you just discard connections to them after a specific number of invalid users.

Almost all mainstream MUAs support this sort of thing now.

At the end of the day, if you actually accept the message for delivery and later reject it, you should do so silently.

Re:

[aaronl (43811)]

If you're a backup mail exchanger, then you must accept mail on behalf of the primary mail server, and relay to it later. You don't necessarily have any way to verify the account as valid at that time. If you don't do a NDR, then the message originator has no way to know that an error occurred when the backup MX tried to relay into the primary.

Re:

[gi-tux (309771)]

And this is exactly the case with DynDNS and their MailHop service. They will receive email for many folks that are behind and ISP that blocks all incoming traffic on port 25. Then they will relay it to the server on a different TCP port, such as 52525. So if I were a customer of DynDNS and someone sent me an email but misspelled my username (gitux instead of gi-tux), then a problem is going to happen. DynDNS accepts the email which was intended for me (but the wrong username). DynDNS then forwards the

Re:

[Menchi (677927)]

There's even a solution for this kind of problem: It's called "recipient callout". The proxy SMTP Server will attempt a fake delivery attempt to the endpoint SMTP server before OKing a recipient. If it succeds, OK it, if it fails, deny it. Sure it costs some resources, but less than a bounce. And if you don't have enough resources to run an email server, don't run an email server.

Re:

[TheRaven64 (641858)]

What exploit are they trying to prevent?

The 'business customer buying a consumer account' exploit. This is more important to a lot of ISPs than a number of other exploits that have no impact on their bottom line.

Re:

[megaditto (982598)]

Am I the only one here that likes NDRs? If some important email is not delivered, I would much prefer that a sender is notified about that failure. Wouldn't you?

Outright NDR ban is just plain stupid, akin to curing headaches with guillotine. If they must do something, why not place a cap and delay on the NDR traffic.

Re:

[the_humeister (922869)]

Am I the only one here that likes NDRs?

Yes

Re:

[nuzak (959558)]

Proper mail servers bounce during the SMTP session. Even AOL has LDAP integration so they can bounce during the SMTP session. If they can do it, anyone can. DynDNS is simply no longer doing accept-and-bounce, which is a GOOD thing. That they're not moving to an architecture that would prevent accept-and-bounce isn't so hot, but considering what they are, I don't see how they could. This makes them one of the few organizations that actually has an excuse.

I'm not one of the people that shouts how "email

Change or Defy

[Astrogen (16643)]

While I do believe they should initiate an effort to update the standard, if they view it as a security threat or a spam vector they are entirely right in shutting down the service.

If a RFC said all boxes should have a port that users could telnet into with root access, and people start abusing that would you leave it and wait for the standard to change?

SPF?

[Southpaw018 (793465)]

If SPF were more widely implemented, or required to be implemented, wouldn't this problem be solved? Don't send NDRs to domains without SPFs or when SPF fails. NDRs get through and problem solved.

And what DynDNS is doing is simply preventing all people from using their service from knowing whether email is being delivered properly. If I typo an email address, I damn well better be getting an NDR from the recipient domain, because simply having it go into an email black hole and never knowing whether it got there is not an acceptable alternative.

Re:

[Sircus (16869)]

If you typo an address, the receiving mail server should be able to reject it during the SMTP conversation. This should result in an NDR for you from the sending mail server.

Re:

[jchawk (127686)]

If you send to an address at one of my corporate domains that is incorrect you're not getting an NDR.

Your email will go into a catchall mailbox and it will be forwarded to the appropriate person. Yes this is tedious however 1 missed email could be a missed chances at *TONS* of business. Often times people won't email you again if they get an NDR back.

Re:

[cleverhandle (698917)]

And what DynDNS is doing is simply preventing all people from using their service from knowing whether email is being delivered properly. If I typo an email address, I damn well better be getting an NDR from the recipient domain, because simply having it go into an email black hole and never knowing whether it got there is not an acceptable alternative.

Which is why you run a real secondary MX that can either do recipient callout or use valid recipient lists in order to reject during SMTP. DynDNS is a che

to defy the laws of tradition

[chef_raekwon (411401)]

Should they have made efforts to have the standard changed instead of defying it?

maybe by defying it, the standards will now be reviewed, and eventually changed.

RFC

[networkzombie (921324)]

Setup the NDR delivery to cc the postmaster. That'll force him to block those emails during the session rather than letting them get through. Let's face it; if you're getting too many NDRs, you are accepting email from illegitimate sources that need to be blocked. It will stop the joe-jobs and allow the legitimate NDRs to continue. I'm gonna build my own RFC 2821, with hookers and blackjack.

The Problem Is Not NDR's

[jchawk (127686)]

It's email in general. The whole system is flawed and we've tried repeatedly to duct tape over the problem.

The main problem is a you have a system based on blind trust.

Second trust based duct-tape systems are simply too cumbersome for the average user.

I don't have the answer but I do know that email in it's present state is broken.

I have an answer

[Phroggy (441)]

Congress needs to earmark funding for the FBI to prosecute spammers under CAN-SPAM.

Yeah, whiners on Slashdot say CAN-SPAM is horrible, because it legalizes spam. What they forget is that CAN-SPAM only legalizes it under certain rules, which spammers are ignoring because there's no enforcement. According to this article from last year [techweb.com], only 0.27% of all junk mail actually complies with CAN-SPAM, which means the other 99.73% is clearly illegal. On top of that, the 0.27% is deliberately easy to filter out i

Re:

[greed (112493)]

Way to confuse envelope-from, header-from and reply-to.

Besides, my home-brewed Linux-based mail server has a published SPF record, and anyone receiving mail can verify that machine is entitled to generate envelope-from with that domain. The SPF also spells out my relay provider, since my DSL line is in DSL blocklists.

What it really needs, at the least, is for people to stop accepting bogus HELO/EHLO addresses and other unverifiable envelope information. If there isn't even an A record for the HELO ad

Standards and Implementation

[LithiumX (717017)]

Tried and true standards make the net go round, but the most effective enhancements or changes to standards usually don't come from a committee working out best practices - it comes from individuals making hard choices on what to support. If those changes turn out to be beneficial, then they become adopted as new standards.

Going against standards can cause a bit of chaos as well, which is why it's good to avoid deviation - but sometimes a deviation makes sense, and you do it. Publicly announcing this (non-critical) deviation, and explaining exactly why, is the proper way to go about it.

Re:

[OldeTimeGeek (725417)]

it comes from individuals making hard choices on what to support. If those changes turn out to be beneficial, then they become adopted as new standards.

The process of modifying standards is a bit more complex [rfc-editor.org] than that, but there is a process for change. You just have to become part of it rather than just picking and choosing which standards annoy you the least and then hoping that someone else will fix the ones that don't work the way you think they should.

Re:

[_anomaly_ (127254)]

Publicly announcing this (non-critical) deviation, and explaining exactly why, is the proper way to go about it.

I tend to differ...
What they're doing is making a change to a service that they provide so that their problem is resolved (which they have a right to do IMO).
It's kind of a move towards an 'ignorance-is-bliss' policy rather than fixing a problem for their customers... after all, if they aren't aware of a spam problem that their customers are experiencing then there isn't a spam problem.
I'm a f

Turn off original message in the bounce???

[by Anonymous Coward]

Did I miss something or wouldn't the problem be solved by turning off the content of the original message in the bounce? If you can't see the original content, it removes the incentive for spammers to use that technique.

This is how it goes on all our mail servers. All bounced messages have the original content stripped off. You get the error message with the reason the message bounced and that's it.

NDR are still usefull. There is PLENTY of mail servers not configured properly or messed up on the Net, even from big ISPs. Calling the current system as a whole, reliable, is a joke.

Long deprecated in practice

[athloi (1075845)]

I knew some ISPs started doing this in the late 1990s after broken mailing lists sending spam from forged addresses generated floods of NDRs in response, smashing the original forged recipient (often some unbelievable sound address like "someone@everywhere.org"). Original NDRs quoted the whole bounced email, but first that changed, then many went to one-liners, and finally, they started disappearing.

not all sending servers can generate NDR

[C0vardeAn0nim0 (232451)]

ideally the server sending the message should generate the NDR, this way network traffic would be reduced and delivery of NDRs quicker. for this to work is neccessary that the receiving server runs a directory search for the recipient and replies with a 5xx message (permanent error) after the sending server issues a "RCPT" command.

sendmail and postfix both do this. don't know about MS exchange or courrier. a default qmail install (without patches) certainly don't. i believe there's a patch to implement this

Are DynDNS cluebies?

[jani (4530)]

With this reliabity levels of modern e-mail systems being substantially higher than its past predecessors, the practical needs for this NDR messages are nil. These practical, anti-spam, merits far outweigh the prevailing RFC 2822 technical requirements.

Excuse me, but due to the vast amount of spam handling, modern e-mail systems are substantially less reliable than they used to be.

If you redirect email for your domain name to Hotmail, chances are good that it will disappear without a trace. (No NDR, not in the spam box either.)

Someone else already mentioned the problem of people typoing email addresses. This is a common problem.

Email can be bounced for other reasons, too, such as a full mailbox, or that there is a relaying mail server (yes, DynDNS, they still exist, and in abundance!) which gives up on delivery after a week of timeouts for the destination host.

And so on.

Someone at DynDNS needs a good whack with the clue bat.

Problem is legitimate, solution is not

[EdwinFreed (1084059)]

They absolutely do have a legitimate problem, one that needs to be addressed by appropriate standardization and implementation activities. But unconditionally failing to generate DSNs is not the answer. What they need is a mechanism that eliminates most of the cases where they currently have to generate DSNs.

First, by their own admission this is only a serious problem for what they call their MailHop Backup MX service. Their other services, MailHop relay and forward are "mostly immune" to DSN issues.

T

NDR's are not evil

[by Anonymous Coward]

Throwing out the baby with the bath water comes to mind when I read this...

The problem is not with NDRs. The problem is that their servers *accepted* the message that eventually had to be NDR'd in the first place, then after accepting responsibility, decided they didn't want that responsibility, so discarded mail that they promised they would deliver.

If their servers checked validity of local recipients, scanned and filtered the message, etc BEFORE accepting it (via 2xx series SMTP accept response), and instead properly REJECTED it with a 5xx series response, these messages would never be bounced. The NDR mechanism is not at fault - rather, the fact that they can't properly configure their servers to reject the message up front is at fault. If you properly REJECT the messages at the SMTP level instead of accepting the message for delivery, the only thing left to NDR are perfectly valid cases, such as mailbox over quota, etc.

Once you *accept* responsibility to deliver a message (via a 2xx series SMTP response), you MUST deliver it somewhere, else you have shirked your responsibility - either deliver it to it's destination, or bounce it. To do anything else would be to LOSE mail, which is the ultimate sin of any mail server. The key is not to throw out bounce messages, but to minimize or eliminate unnecessary bounces in the first place by rejecting instead.

Note that by properly REJECTING the message, you also effectively defeat most spam bots, since they can't "bounce" the mail that you reject to the "real" local sender.

I always hate it when providers like this take the short cut of *losing* mail intentionally rather than fixing their broken systems to work right.

One caveat to my comments - unfortunately, some mail software is symply not geared toward todays Internet, such that it can do the scanning and filtering of messages realtime fast enough to prevent a sending server from timing out while it's doing this scanning, so they queue the mail to process it for spam, etc later. Using such software is the first mistake most places make, and is the real reason why there are so many NDR's in the first place.

Re:

[profplump (309017)]

Except DynDNS doesn't have local users, so they can't verify directly that messages will be delivered.

A similar problem occurs when you submit outbound mail to your ISP -- unless it's going to someone else at the same ISP, the local SMTP server can't verify that delivery will succeed. At the ISP level it's still probably reasonable to generate bounce message, at least for local users. That way you don't have to do the final delivery right away, users can still get error messages, and you don't risk sending