DynDNS Drops Non-Delivery Reports

jetkins writes "In an email to subscribers, DynDNS announced that they will no longer deliver locally generated non-delivery reports (NDRs) from any MailHop systems. MailHop is a multi-faceted service offering in- and outbound relay services, spam and virus filtering, and store-and-forward buffering. DynDNS makes it clear that they are aware that this goes against RFC 2821 Section 3.7, but explains that in their opinion the increase in spam volume, and the use of NDRs as a spam vector, means that the value of NDRs is now far outweighed by their potential for harm. (DynDNS also points to the far greater reliability of email systems now than when the RFC was approved.) The company notes that other ISPs have quietly dropped RFC 2821-compliant NDRs. Will their public move start a flood (mutiny) of ISPs following suit? Should they have made efforts to have the standard changed instead of defying it?"

Change or Defy

[Astrogen]

While I do believe they should initiate an effort to update the standard, if they view it as a security threat or a spam vector they are entirely right in shutting down the service.

If a RFC said all boxes should have a port that users could telnet into with root access, and people start abusing that would you leave it and wait for the standard to change?

SPF?

[Southpaw018]

If SPF were more widely implemented, or required to be implemented, wouldn't this problem be solved? Don't send NDRs to domains without SPFs or when SPF fails. NDRs get through and problem solved.

And what DynDNS is doing is simply preventing all people from using their service from knowing whether email is being delivered properly. If I typo an email address, I damn well better be getting an NDR from the recipient domain, because simply having it go into an email black hole and never knowing whether it got there is not an acceptable alternative.

Re:What I'd like to see...

[AuMatar]

And kill mailing lists. Not all mass mails are spam.

to defy the laws of tradition

[chef_raekwon]

Should they have made efforts to have the standard changed instead of defying it?

maybe by defying it, the standards will now be reviewed, and eventually changed.

The Problem Is Not NDR's

[jchawk]

It's email in general. The whole system is flawed and we've tried repeatedly to duct tape over the problem.

The main problem is a you have a system based on blind trust.

Second trust based duct-tape systems are simply too cumbersome for the average user.

I don't have the answer but I do know that email in it's present state is broken.

Standards and Implementation

[LithiumX]

Tried and true standards make the net go round, but the most effective enhancements or changes to standards usually don't come from a committee working out best practices - it comes from individuals making hard choices on what to support. If those changes turn out to be beneficial, then they become adopted as new standards.

Going against standards can cause a bit of chaos as well, which is why it's good to avoid deviation - but sometimes a deviation makes sense, and you do it. Publicly announcing this (non-critical) deviation, and explaining exactly why, is the proper way to go about it.

Re:RFC-Ignorant.org

[Anonymous Coward]

What's needed is for servers to start determining immediately whether they can deliver the mail or not and respond to the sender with an appropriate error code if not, instead of sitting on it for a few hours and then creating a bounce message. This can even work over multiple hops if the sending server isn't an open relay, the destination server replies to your ISP's mailserver with "550 Cant send shit captain!", and leave it up to your ISP to decide to retry, generate a bounce to you (which it should have no problem doing, after all, everyone sending email through its server has an account at the ISP, right?), or just drop the matter in the bit bucket.

Once that initial connection is gone though, the receiving mailserver should not assume that it has any way to talk to the sender again.

Re:RFC-Ignorant.org

[Jeff DeMaagd]

I don't see the point in dogmatically upholding a rule for its own sake. If a rule doesn't always make sense, then change it. An RFC for RFC's sake doesn't do us any good unless the principles in it are still a good idea. Having said that, I think RFCs in general a bit baffling, harder to comprehend then legislation.

Re:What I'd like to see...

[Chyeld]

as well as providing a fairly simple manner of performing DOS against a domain, simply spoof your way into seeming to be their mail server and slam in the garbage.

Re:RFC-Ignorant.org

[plague3106]

That's a great way to determine VALID accounts to spam.

Re:Standards and Implementation

[OldeTimeGeek]

it comes from individuals making hard choices on what to support. If those changes turn out to be beneficial, then they become adopted as new standards.

The process of modifying standards is a bit more complex [rfc-editor.org] than that, but there is a process for change. You just have to become part of it rather than just picking and choosing which standards annoy you the least and then hoping that someone else will fix the ones that don't work the way you think they should.

Are DynDNS cluebies?

[jani]

With this reliabity levels of modern e-mail systems being substantially higher than its past predecessors, the practical needs for this NDR messages are nil. These practical, anti-spam, merits far outweigh the prevailing RFC 2822 technical requirements.

Excuse me, but due to the vast amount of spam handling, modern e-mail systems are substantially less reliable than they used to be.

If you redirect email for your domain name to Hotmail, chances are good that it will disappear without a trace. (No NDR, not in the spam box either.)

Someone else already mentioned the problem of people typoing email addresses. This is a common problem.

Email can be bounced for other reasons, too, such as a full mailbox, or that there is a relaying mail server (yes, DynDNS, they still exist, and in abundance!) which gives up on delivery after a week of timeouts for the destination host.

And so on.

Someone at DynDNS needs a good whack with the clue bat.

NDR's are not evil

[Anonymous Coward]

Throwing out the baby with the bath water comes to mind when I read this...

The problem is not with NDRs. The problem is that their servers *accepted* the message that eventually had to be NDR'd in the first place, then after accepting responsibility, decided they didn't want that responsibility, so discarded mail that they promised they would deliver.

If their servers checked validity of local recipients, scanned and filtered the message, etc BEFORE accepting it (via 2xx series SMTP accept response), and instead properly REJECTED it with a 5xx series response, these messages would never be bounced. The NDR mechanism is not at fault - rather, the fact that they can't properly configure their servers to reject the message up front is at fault. If you properly REJECT the messages at the SMTP level instead of accepting the message for delivery, the only thing left to NDR are perfectly valid cases, such as mailbox over quota, etc.

Once you *accept* responsibility to deliver a message (via a 2xx series SMTP response), you MUST deliver it somewhere, else you have shirked your responsibility - either deliver it to it's destination, or bounce it. To do anything else would be to LOSE mail, which is the ultimate sin of any mail server. The key is not to throw out bounce messages, but to minimize or eliminate unnecessary bounces in the first place by rejecting instead.

Note that by properly REJECTING the message, you also effectively defeat most spam bots, since they can't "bounce" the mail that you reject to the "real" local sender.

I always hate it when providers like this take the short cut of *losing* mail intentionally rather than fixing their broken systems to work right.

One caveat to my comments - unfortunately, some mail software is symply not geared toward todays Internet, such that it can do the scanning and filtering of messages realtime fast enough to prevent a sending server from timing out while it's doing this scanning, so they queue the mail to process it for spam, etc later. Using such software is the first mistake most places make, and is the real reason why there are so many NDR's in the first place.

Re:RFC-Ignorant.org

[gi-tux]

And this is exactly the case with DynDNS and their MailHop service. They will receive email for many folks that are behind and ISP that blocks all incoming traffic on port 25. Then they will relay it to the server on a different TCP port, such as 52525. So if I were a customer of DynDNS and someone sent me an email but misspelled my username (gitux instead of gi-tux), then a problem is going to happen. DynDNS accepts the email which was intended for me (but the wrong username). DynDNS then forwards the msssage to my correctly configured server, which tells them that this user does not exist. They drop the message and do not return and NDR. Now someone believes that I have received the email that was sent to me because they did not get an NDR. However I didn't see the message nor is there any indication to me that anyone tried to send me a message.

I see this as causing more people to be sending messages with delivery/read receipts so that they will know that the message was properly delivered and/or read. I am afraid that this will lead to an increase in traffic due to these receipts being requested more. But then I guess that servers will start dropping the receipts as well and then sending an email will be no more reliable than sending a snail mail. It is supposed to be a guaranteed system of delivery, but there is a huge dead letter barrel that gets way too many things.

Re:Finally, a service provider with a clue...

[bvimo]

Isn't it time we changed something. Amended or created a new RFC, or design mail servers that don't talk to poorly implemented servers.

/. commentators have spouted enough hot air about Joe Jobs, Non Delivery Receipts etc, we should stand up and do something.

Re:Problem is legitimate, solution is not

[Jubal Kessler]

With MailHop Backup MX they have no way to validate addresses

Not necessarily. Backup MX services could do address validation if they're given a userlist. Of course, this entails some security concerns (example: why trust a backup service with a userlist?), but that can be figured out satisfactorily (answer: use a backup service you can trust, and engineer a secure solution).

Further thoughts:

There is little reason to avoid address validation these days. As for the argument against address validation -- that spammers can determine valid addresses by seeing which ones don't fail, and that's a reason not to validate -- that's not much of an argument:

- Accept and discard, and spammers think all addresses are real.
- Accept and generate an NDR, and spammers never get it, because their sender address/domain is usually bogus.
- Reject unknown addresses, and reduce massive CPU overhead from spam/virus-scanning. Bonus!

Finally, implement some form of connection throttling based on address validation. Some connection's doing what appears to be a dictionary attack, trying a jillion usernames starting with the "a"s? Or even multiple connections doing it, subdividing the alphabet between themselves? Trip a threshold of, say too many connections or too many bad recipients per minute, and refuse further SMTP connections from the given IP address -- or even slip it into a packet-filter rule to blackhole -- for an interval of time, and the problem's solved.

Once spam makes it past the DNS blocklists, the connection throttling, etc. there's enough intelligence in the anti-spam middleware to accurately identify the ham from spam 99% of the time or better.

And of course there's DomainKeys Identified Mail (DKIM) which is now RFC 4871 and is excellent for this middle section of the anti-spam defense wherein one also has to determine whether a message is an elaborate phishing scam or the real deal. SpamAssassin can do a bit of this as well as SPF, etc., and there's a high-performance dkim-milter implementation on sourceforge, too.

SMTP isn't dead, just a tad more complex on the server level, and defenses are improving against the soft areas of the protocol. What I've suggested works pretty darn well as a starting point.

Re:RFC-Ignorant.org

[fimbulvetr]

That's a great way to determine VALID accounts to spam.

A lot of people bring up this point, but it's only ostensibly helpful anyway. The resources you save from not verifying an address are _quickly_ eaten up by the fact that you're queueing messages for invalid addresses on your domain at oftentimes insane rates. Pretty soon, your lame server is going to start to deliver these zillion+ NDRs and not only ruin the rest of your day for your users by stealing bandwidth and mail server resources, but also for many, many other people on the internet who need to delete the 80+ NDRs you sent them.

So USE that information.

[khasim]

Yes, the spammer can determine whether it has a valid account. But that means ...

#1. The spammer already HAS the account name and is checking to see if it still works. Defeat this by generously distributing SpamTrap accounts. And accepting email to them. And then opt'ing out of the email that they receive.

#2. The spammer is trying to guess a new name. Good luck with that. Sure, maybe SOMEWHERE there is an email account of "frank@example.com" but good luck finding it. If you want to have some FUN, watch your logs for examples of this. Then setup some of them as SpamTraps. And follow #1 above.

I use both of these approaches. It makes filtering spam VERY easy.

Re:NDR's are not evil

[profplump]

Except DynDNS doesn't have local users, so they can't verify directly that messages will be delivered.

A similar problem occurs when you submit outbound mail to your ISP -- unless it's going to someone else at the same ISP, the local SMTP server can't verify that delivery will succeed. At the ISP level it's still probably reasonable to generate bounce message, at least for local users. That way you don't have to do the final delivery right away, users can still get error messages, and you don't risk sending bounces across the Interwebs.

But it gets tricky for forwarding hosts like DynDNS. The only way to reject during the session would be something like:
A) Inbound connection sends message to forwarding server
B) Forwarding server leaves connection open after the DATA command
C) Forwarding server forms outgoing connections to every domain specified in the envelope addresses
D) Forwarding server attempts to deliver the message to all final recipients
E) Forwarding server rejects original connection from (A) if any deliveries in (D) fail

And even if you overcame the technical complications of such a system, it completely dis-allows the use of mail hosts that don't have 24/7 availability. Moreover it eliminates the ability to use secondary hosts, because even if they can validate addresses (which is not trivial) they can't guarantee things like available disk space on the destination server.

Rejecting messages in-session is certainly a good idea, but it's ridiculous to think that it's possible to eliminate bounce messages just by validating local addresses before accepting a message.

Re:RFC-Ignorant.org

[dondelelcaro]

That's a great way to determine VALID accounts to spam

If someone is going to pull off a dictionary attack against the SMTP server, then you just discard connections to them after a specific number of invalid users.

Almost all mainstream MUAs support this sort of thing now.

At the end of the day, if you actually accept the message for delivery and later reject it, you should do so silently.

Re:Finally, a service provider with a clue...

[morcego]

Isn't it time we changed something. Amended or created a new RFC, or design mail servers that don't talk to poorly implemented servers.

"If you think you can create a foolproof system, you are one of the fools" - No idea who I'm misquoting.

Re:What I'd like to see...

[adminstring]

Here's an example of how mailing lists can be useful: I'm into music and bicycles, and I get periodic emails from several online vendors of music and bike gear letting me know what specials they are having, and quite often I see something I like in these emails, so I click a link and go shopping. I opted in to these mailing lists, and they help me find deals I wouldn't otherwise be aware of.

I wouldn't probably think to check a forum for an announcement on a free-shipping sale or a closeout on last year's tires, but if it comes in an email, it gets my attention, and I appreciate that.

My ISP offers spam-filtering, but I have turned it off because too many of these mailing lists I like were getting caught in its trap. So I agree that mailing lists make spam filtering more difficult, but I personally see them as being worth the hassle.

Re:RFC-Ignorant.org

[TheRaven64]

What exploit are they trying to prevent?

The 'business customer buying a consumer account' exploit. This is more important to a lot of ISPs than a number of other exploits that have no impact on their bottom line.

Re:Change or Defy

[TheSolomon]

I agree, although refusing to deliver NDR emails is overkill. Sending abbreviated NDRs instead would work just as well, without denying the utility of valid NDRs.

By "abbreviated," I mean mail servers should look at incoming apparent NDRs, drop most of the message content, and provide summary information instead. So instead of getting a fake NDR with a SPAM payload, you'd get something like "Your message addressed to fakeaddress@someplace.com, with subject beginning 'First three words,' could not be delivered. [...]"

People will still (temporarily) get a number of bogus NDR messages, but once spammers see nothing but the first three words of the NDRs are getting through, they'll give up on using the technique. Any messages crafted to exploit the first three words of these summary/abbreviated NDRs would be fairly pathetic compared to normal SPAM, plus they would be easily captured by updated spam filters. (Subjects like "pr0z@c ch3@p www.cheap-prozac.com" would be a total give-away.) ;-)

Re:SPF?

[cleverhandle]

And what DynDNS is doing is simply preventing all people from using their service from knowing whether email is being delivered properly. If I typo an email address, I damn well better be getting an NDR from the recipient domain, because simply having it go into an email black hole and never knowing whether it got there is not an acceptable alternative.

Which is why you run a real secondary MX that can either do recipient callout or use valid recipient lists in order to reject during SMTP. DynDNS is a cheap hack for geek vanity domains - you're getting exactly what you pay for.

POTS

[banished]

Oh, great. Now I have to use POTS to make sure my e-mail was received and didn't go into a black hole. Either that, or request a read receipt on every e-mail. The only problem is I never respond to read receipts, so why should I expect anyone else to?

Re:Finally, a service provider with a clue...

[morcego]

My suggestion is not to try and create a "perfect" RFC, but to create one flexible enough where you can fix stuff as it appears. Specially something that is backward compatible with what we have today.

We already moved from SMTP to ESMTP. Maybe we can go a step further, with, I don't know, ASMTP or whatever you want to call it. Then impose extra controls on messages that arrive via SMTP or ESMTP.

In any case, there is absolutely nothing we can do about zombies, unless you want to implement some kind of "are you human" test for every single e-mail that is sent. And how could we do it between relays ?

I have an answer

[Phroggy]

Congress needs to earmark funding for the FBI to prosecute spammers under CAN-SPAM.

Yeah, whiners on Slashdot say CAN-SPAM is horrible, because it legalizes spam. What they forget is that CAN-SPAM only legalizes it under certain rules, which spammers are ignoring because there's no enforcement. According to this article from last year [techweb.com], only 0.27% of all junk mail actually complies with CAN-SPAM, which means the other 99.73% is clearly illegal. On top of that, the 0.27% is deliberately easy to filter out if you choose.

We don't need a new law to make spam illegal; CAN-SPAM already makes it illegal. We just need to start actually prosecuting people who break the law.

Yes, some spam comes from other countries where the FBI has no jurisdiction, but not as much as you might think [spamhaus.org], and I believe the FBI already has partnership agreements with agencies in several other countries to work together on fighting spam - they're just not doing enough of it.

Why won't this happen without an act of Congress? Because without a direct congressional mandate, the FBI has better things to do with its time and money. I don't blame them, really - raiding meth labs or catching serial killers is certainly important. But fighting spam is important too, and there's no reason the FBI couldn't do both.

So that's the answer. Spam is a social problem, more than it's a technical problem. We can try to fight it with technology, but spammers are fighting back, and they have the huge advantage of not being limited by morals or legality. We can't win with the odds stacked that high in their favor. The only way to win is to throw them all in jail.