Forgot your password?
typodupeerror
Google Businesses The Internet Spam

Google Mail Servers Enable Backscatter Spam 344

Posted by kdawson
from the ricochet-attack dept.
Mike Morris writes "Google email servers are responsible for a large volume of backscatter spam. No recipient validation is being performed for the domains googlegroups.com and blogger.com — possibly for other Google domains as well, but these two have been confirmed. (You can test this by sending an email to a bogus address in either of the domains; you'll quickly get a Google-generated bounce message.) Consequently spammers are able to launch dictionary attacks against these domains using forged envelope sender addresses. The owners of these forged addresses are then inundated with the bounce messages generated by the Google mail servers. The proper behavior would be for the mail servers to reject email traffic to non-existent users during the initial SMTP transaction. Attempts at contacting them via abuse@google.com and postmaster@google.com have gone unanswered for quite some time. Only automated responses are received which say Google isn't doing anything wrong."
This discussion has been archived. No new comments can be posted.

Google Mail Servers Enable Backscatter Spam

Comments Filter:
  • Translation (Score:5, Funny)

    by conner_bw (120497) on Tuesday April 08, 2008 @08:50PM (#23007408) Homepage Journal
    My mom's was getting a ton of spam and she kept calling me day and night, saying her computer was broken. I tried to resolve the problem by contacting Google but they ignored me. The only option left was to badmouth them on the front page of Slashdot so the bad PR would force them to fix her problem. MOM, YOU CAN STOP CALLING ME NOW OK!!!

  • by aleph42 (1082389) * on Tuesday April 08, 2008 @08:54PM (#23007432)
    *goes change his gmail password*

    Seriously though, there's something else that bothers me about gmail (not the only one to do it): that apparently anyone can get your contact list if they have your address.

    Ever happened to you? I was signing up on a music website with a gmail address, and then they asked me if I wanted to send invites to all my contacts, which magicaly appeared on their page. Even if it is apparently a common practice, I find it very disturbing.
    • by Anonymous Coward on Tuesday April 08, 2008 @08:57PM (#23007454)
      Did you have an active session with gmail going at the time? As in, you didn't click "log out"?
      • Mod Parent Up (Score:3, Informative)

        by Anonymous Coward
        This is *exactly* why I do my email separate from all other browsing. It's not even unique to Google, they're just the biggest target.

        If you want to use email securely:
        * Use 'clear private data' to wipe everything out.
        * Visit your webmail site (copy any links you want to visit to a text file for later).
        * Read/send email.
        * Log out.
        * Use 'clear private data' again.

        Anything less risks having information stolen.
        • Re:Mod Parent Up (Score:5, Informative)

          by techno-vampire (666512) on Tuesday April 08, 2008 @10:00PM (#23007868) Homepage
          If you want to use email securely:


          Use POP3 for all your email. That way no website can ever get access to your contacts or personal data.

          • Re: (Score:3, Interesting)

            by geminidomino (614729) *
            Except POP3 is generally transmitted in the clear unless configured otherwise.

            Not particularly secure, that...
            • Re: (Score:3, Interesting)

              by gnuman99 (746007)
              SMTP protocol, you know, email, is transmitted in clear text. So why does it matter if POP3 would be transmitted clear or not? The password doesn't need to be transmitted in clear text, just a hash.

              You want secure email you GPG to encrypt it.
            • Re: (Score:3, Informative)

              So what? We're not talking about keeping your email secure, we're talking about keeping websites from reading your contact list or address book. If you're using POP3 for your email, there's nothing whatsoever in your browser's history, cookies, passwords or other hiding places for those snooping sites to find, and that's what we're talking about.
    • by conner_bw (120497) on Tuesday April 08, 2008 @09:01PM (#23007480) Homepage Journal
      No, this has never happened to me.

      Ever.

      What kind of "music" site were you on?

      The "russian" kind?
      • by aleph42 (1082389) * on Tuesday April 08, 2008 @10:54PM (#23008280)

        What kind of "music" site were you on?
        The "russian" kind?
        No. I think it was on http://imeem.com/ [imeem.com] , or one of those webiste with mp3s of indy bands (amiestreet ?).

        And I'm absolutely positive I didn't give them my gmail password.
    • by dfay (75405) on Tuesday April 08, 2008 @09:34PM (#23007698)
      I had the same thing happen.

      LinkedIn asks me if I want to "connect" to certain people that I know for sure my only contact with them has been through mail on my gmail account. LinkedIn *can* mine your gmail account for you if you provide your account info to them, but I certainly never used that feature, so it was a bit alarming to see all of my gmail contacts showing up.

      Personally, I don't care if they are not the only ones to do it. They shouldn't be giving out our personal info. I did expect them to use my info to provide context-sensitive ads, but I did not expect them to share my info with other companies without my explicit permission.

      Not to mention, if you and I both saw it on sites that ostensibly have no relationship with google, it's possible that anyone that can hook to their Soap API can get your contact list.
    • by Anonymous Coward on Tuesday April 08, 2008 @10:47PM (#23008192)
      Strange things happen in the internet, The other day I was navigating in the internet and my wife was watching the screen, and when I was typing a url, a nasty porn site appeared as autocompleted, I swear I never visited the site. I'll show this google account problem to my wife, she might believe me now.

    • Re: (Score:3, Informative)

      by stephanruby (542433)

      Ever happened to you? I was signing up on a music website with a gmail address, and then they asked me if I wanted to send invites to all my contacts, which magicaly appeared on their page. Even if it is apparently a common practice, I find it very disturbing.

      It may have appeared on their page, but it wasn't coming from their site -- it was coming from google. Both the list of your contacts, and the request for permission to send, was coming from google. It does NOT [google.com] mean the actual music site knew the emai

      • by stephanruby (542433) on Wednesday April 09, 2008 @02:28AM (#23009754)

        Ever happened to you? I was signing up on a music website with a gmail address, and then they asked me if I wanted to send invites to all my contacts, which magicaly appeared on their page. Even if it is apparently a common practice, I find it very disturbing.
        It may have appeared on their page, but it wasn't coming from their site -- it was coming from google. Both the list of your contacts, and the request for permission to send, was coming from google. It does NOT [google.com] mean the actual music site knew the email addresses of your contacts.
        Here is an actual example of what I'm talking about. Log into http://www.google.com/calendar [google.com], stick this iframe in your web site, replace the left and right parenthesis with the right symbols, and see what happens.

        (iframe src="http://www.google.com/calendar/embed?title=Slashdot%20Calendar&height=250&wkst=2&bgcolor=%23FFFFFF&ctz=America%2FLos_Angeles" style=" border:solid 1px #777 " width="300" height="250" frameborder="0" scrolling="no")(/iframe)
        Assuming your calendar is marked private, having the private data from your calendar appearing within the iframe of your browser doesn't mean it's accessible by the web site hosting the iframe (nor does it mean it's accessible by the javascript outside that iframe either).
  • by micheas (231635) on Tuesday April 08, 2008 @08:55PM (#23007442) Homepage Journal
    They are getting tagged with the moniker "the new evil".

    I wonder how much of this has to do with the Microsoft to Google employee migration bringing the corporate culture with the people?
  • by Anonymous Coward on Tuesday April 08, 2008 @08:58PM (#23007456)
    forged from: abuse@[domain]
    to: bogus@[domain]
    You have issues.

    If they have back scatter, they get it. If they don't have back scatter, they don't.
    • by c6gunner (950153) on Tuesday April 08, 2008 @11:06PM (#23008388)

      forged from: abuse@[domain] to: bogus@[domain] You have issues. If they have back scatter, they get it. If they don't have back scatter, they don't.
      Hah.

      abuse@gmail.com has an auto-response. bogus@gmail.com has an auto-response.

      I'm sending the e-mail right now. I wish I could see the "abuse" account's inbox in a few hours....
    • Won't work unless you forge the *envelope-sender".
  • Proper? (Score:5, Insightful)

    by EdIII (1114411) * on Tuesday April 08, 2008 @08:59PM (#23007460)

    The proper behavior would be for the mail servers to reject email traffic to non-existent users during the initial SMTP transaction.


    Ummm, how about the only behavior .

    It never ceases to amaze me how some mail server administrators setup policies on their networks. If you are running a mail server you are THE POSTMASTER. If you don't know where it should go, or who it is supposed to be going to, how can you accept it?

    Refusing email and stopping the transaction when you do not control the domain, service the domain, or even know the mailbox user is about as obvious a policy as not relaying for domains outside of your control.

    If it is an honest mistake on the part of the sending server, acting as an agent for the user, then a simple message informing the sender that the account does not exist is a trivial matter.

    To do anything else just amazes me.
    • Re: (Score:3, Insightful)

      by Anonymous Coward
      Maybe they're concerned about bots using those responses as a means to harvest valid email addresses. If you send it for invalid ones, then I can assume that when you don't send it, it's a legit account.
      • Re:Proper? (Score:4, Informative)

        by schon (31600) on Tuesday April 08, 2008 @10:06PM (#23007904)

        If you send it for invalid ones, then I can assume that when you don't send it, it's a legit account.
        That's absurd logic.

        got a tip for you:

        spammers don't care if the addresses are valid or not

        What you describe is called a 'rumplestiltskin' attack - it's well known, and nobody has ever suggested that the best way to counter it is to start spamming people with backscatter.
        • Re: (Score:3, Informative)

          by LilGuy (150110)
          Actually they do care. The verified e-mail lists are worth a LOT more than the unverified 5 million fluff lists. Especially with the advent of RBLs.
        • Re:Proper? (Score:4, Insightful)

          by nametaken (610866) on Wednesday April 09, 2008 @02:44AM (#23009814)

          Actually both are crap.

          Unfortunately there are no good ways to handle it, that I know of. They all allow for harvesting or backscatter. The only way to avoid both would be to accept everything and never respond. But then every blackholed email is potentially a genuine error for which there is no indication.
    • Re: (Score:2, Informative)

      by Artefacto (1207766)

      That would be the best thing to do, but it's not always trivial. In fact, sometimes it's impossible [slashdot.org].

      I've seen e-mail setups where after the mail is sent to the servers in MX records it goes through several MTAs until it's finally delivered. In order to be possible to reject the e-mail at SMTP time, you'd have to do some kind of synchronization between the MTAs so that the MX server could know whether the addresses exist. Plus, the same domain could read users from several databases at the same time (e.g.

      • It doesn't even have to be a complex setup. One primary MX that knows the accounts, and one backup MX that accepts everything for its domains and relays it all to the primary.
    • Re: (Score:3, Insightful)

      This should be printed out in 72-point type and stapled to the forehead of any mail system administrator who hasn't already made their operation do exactly this. There are no excuses: numerous techniques for accomplishing this, even in multiple-server, multiple-tier environments have been well known for a decade.

      Those who fail are likely to find themselves on numerous blacklists -- correctly listed as spammers.

  • In beta (Score:4, Insightful)

    by SkullOne (150150) on Tuesday April 08, 2008 @08:59PM (#23007466) Homepage
    Didn't anyone notice that Gmail is still in beta?

    FWIW, I use Google Apps to host my e-mail, and I have found Google to have horrible support.
    Instead of fixing the problem, they'll just point you to a loosely moderated Google Groups newsgroup for Google apps, and you'll rarely receive a response, let alone a workable fix for an issue.

    Do no evil? Or do nothing at all?

    • Not Gmail. (Score:4, Interesting)

      by SanityInAnarchy (655584) <ninja@slaphack.com> on Wednesday April 09, 2008 @12:47AM (#23009122) Journal

      I tested this on Google Apps for my (company's) domain.

      Turns out that yes, they will drop it on the floor if you give them an invalid address. It's probably not gmail.com, and definitely not yourdomain.com -- but rather, blogger.com and googlegroups.com -- which seem to be accepting mail and bouncing, rather than rejecting via SMTP.

      A quick demonstration:

      david@biostar:~$ host -t MX scribestorm.com
      scribestorm.com mail is handled by 0 ASPMX.L.GOOGLE.com.
      david@biostar:~$ nc -vv aspmx.l.google.com 25
      DNS fwd/rev mismatch: aspmx.l.google.com != qb-in-f27.google.com
      aspmx.l.google.com [72.14.205.27] 25 (smtp) open
      220 mx.google.com ESMTP z21si10855881qbc.21
      helo slashdot.org
      250 mx.google.com at your service
      mail from: anonymous_coward@slashdot.org
      555 5.5.2 Syntax error. z21si10855881qbc.21
      mail from: <anonymous_coward@slashdot.org>
      250 2.1.0 OK
      rcpt to: <bogus@scribestorm.com>
      550-5.1.1 This Gmail user does not exist. Please try double-checking
      550-5.1.1 the recipient's email address for typos or unnecessary spaces.
      550-5.1.1 Learn more at
      550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 z21si10855881qbc.21
      rcpt to: <david.masover@scribestorm.com>
      250 2.1.5 OK
      quit
      221 2.0.0 mx.google.com closing connection z21si10855881qbc.21
      sent 181, rcvd 518
      david@biostar:~$

      As you can see, it not only dropped my message on the floor, it also demanded brackets around the address -- something Postfix and Exim do for me, and I think even Qmail tolerated addresses without brackets.

      I imagine it works pretty much the same way for gmail.com, so if you're going to take advantage of the bouncing to have Google DoS Google, keep that in mind. Send mail from bogus_01234@blogger.com to alsobogus_56789@googlegroups.com. (I think adding a GUID to it would be a nice touch, thus guaranteeing that it will never match an actual address.)

    • and? (Score:3, Interesting)

      by RMH101 (636144)
      Say my manufacturing plant is "in beta". Does that excuse it belching out toxic smoke and polluting the atmosphere? No. Gmail being in beta doesn't give them a licence to belch out spam, either.
  • by Schraegstrichpunkt (931443) on Tuesday April 08, 2008 @09:00PM (#23007472) Homepage
    Sending to example12345@googlegroups.com, I get this (my email address replaced with name@example.com):

    Hello name@example.com,

    We're writing to let you know that the group that you tried to contact (example12345) doesn't exist. There are a few possible reasons why this happened:

    * You might have spelled or formatted the group name incorrectly.
    * The owner of the group removed this group, so there's nobody there to contact.

    If you have questions about this or any other group, please visit the Google Groups Help Center at http://groups.google.com/support [google.com].

    Thanks, and we hope you'll continue to enjoy Google Groups.

    The Google Groups Team

    In other words, while this causes backscatter, this is not an avenue for "backscatter spam", since Google isn't delivering the contents of arbitrary messages to arbitrary users.

    It sounds like the submitter wants to blow this out of proportion by equating general backscatter (which nearly all mailing list managers on the Internet generate with their "confirmation" messages) with backscatter spam.

    • by ceejayoz (567949) <cj@ceejayoz.com> on Tuesday April 08, 2008 @09:13PM (#23007560) Homepage Journal
      *checks*

      Hey, look. It's a kdawson article!
    • by ikkonoishi (674762) on Tuesday April 08, 2008 @09:23PM (#23007618) Journal
      Just because some spam is advertising does not mean that all spam is advertising. The point here would be to fill someone's inbox with bogus messages.
    • by NMerriam (15122) <NMerriam@artboy.org> on Tuesday April 08, 2008 @09:33PM (#23007692) Homepage
      You're being either overly literal, or trying to create a distinction where there isn't much of one.

      No, the responses don't contain an original message, nor are they commercial or anything like that, but the spammy thing about this form of backscatter is about the VOLUME and indiscriminate nature of the mail, not the content.

      This isn't being blown out of proportion at all. It's nothing like a mailing list sending a confirmation. No spammer is going to send a million messages with different forged addresses to a single email address (the subscribe address) -- that defeats the whole purpose of spamming, which is to contact DIFFERENT addresses!

      What google has done is open a wildcard on some domains so that anyone launching a dictionary attack on googlegroups.com will send a million messages TO a million different addresses FROM a million different forged addresses. Google then sends a million bounces back to a million different addresses, and if you run a domain that the spammer used as their "from", you suddenly get tens or hundreds of thousands of identical bounce messages from Google. THAT is backscatter spam -- thousands of useless messages sent to forged addresses on your domain, regardless of content. And no mail server in 2008, much less one run by a major tech company, should make that possible.
      • The google fanboys are wrong on this one.
      • And no mail server in 2008, much less one run by a major tech company, should make that possible.

        Just because one isn't evil, doesn't mean one is competent or incapable of error.
      • What google has done is open a wildcard on some domains so that anyone launching a dictionary attack on googlegroups.com will send a million messages TO a million different addresses FROM a million different forged addresses. Google then sends a million bounces back to a million different addresses, and if you run a domain that the spammer used as their "from", you suddenly get tens or hundreds of thousands of identical bounce messages from Google.

        Yes, but the contents of the message can't be controlled in any meaningful way, so as you said:

        No spammer is going to send a million messages with different forged addresses ...

        ... unless they can control the content of those messages.

        The distinction is obvious. If spammers can't control the contents of the bounces, the bounces won't get them paid.

        • Re: (Score:3, Insightful)

          by NMerriam (15122)
          The distinction is obvious. If spammers can't control the contents of the bounces, the bounces won't get them paid.

          Nobody is claiming spammers are getting paid for the backscatter. Backscatter is just collateral damage to the original spam. Spammers don't care because it doesn't cost them anything, but they aren't doing it on purpose. That's why it is the responsibility of the mail administrator to ensure that THEY don't involve third parties in their spam by generating completely new messages and sending
    • Re: (Score:3, Informative)

      There are a few important differences

      1) mailing list confirmations can't be used by spammers to identify existing or non-existing e-mail addresses
      2) spammers, unlike your test, will use spoofed From: headers, making the mail you got be bounced back to someone who wasn't involved in the first place
      3) yes, right now (1) isn't true for Google either, since they accept all mail, but that is indeed the problem right now, and there are stupid spammers out there who will blast thousands upon thousands of e-mails o
      • by eonlabs (921625)
        Can you tell me a mail service that doesn't announce to a sender when a letter failed to reach its intended destination?

        You're telling me that you would prefer thinking that you sent an e-mail to someone, and that they received it, even if you mistyped the address by one letter?

        I don't see what they're doing as wrong at all. They aren't bouncing the original message, so spam is not originating from google's domains. They're also announcing e-mails which failed to arrive at their intended destination.
        • Rejection during the initial SMTP conversatoin will still cause mail to go back to the sender saying that it wasn't received. It doesn't just disappear into the ether. This is how MOST e-mail servers on the face of the planet work.

          The server trying to deliver mail (server X) contacts the destination server (server Y). The destination server immediately says "nope, sorry, that user doesn't exist" so server X sends a mail back to the sender saying "Server Y said 'user not found in user lookup'" or somesuch
    • by erice (13380)
      Looks like a good method, if you ask me. I'm amazed that the OP thought that rejecting was a good idea while claiming that Google's method enabled dictionary attacks. Rejecting makes dictionary attacks much easier. No need to parse or even receive bounces. Validation is provided promptly in an easy to parse return code.
  • by shanen (462549) on Tuesday April 08, 2008 @09:01PM (#23007484) Homepage Journal
    Basically Gmail is losing value for all of us as it becomes spam
    soaked. Even their filtering is having troubles with false positives
    and false negatives--and the spam is just increasing. Therefore I
    think Google should act more aggressively to drive the spammers away
    from Gmail.

    My latest anti-spam idea is a SuperReport option. (Kind of like
    SpamCop, but not so lazy.) If you click on the SuperReport option,
    Gmail would explode the spam and try to analyze it for you to help go
    after the spammers more aggressively. Here is one approach to
    implementing it:

    The first pass analysis would be a low-cost quickie that would also
    act like a kind of CAPTCHA. This would just be an automated pass
    looking for obvious patterns like email addresses and URLs. The email
    would then be exploded and shown to the person making the report (=
    the targeted recipient of the spam AKA victim). The thoughtful
    responses for the second pass would guide the system in going after
    the spammers--making Gmail a *VERY* hostile environment for spammers
    to the point that they would stop spamming Gmail.

    For example, if the first pass analysis finds an email address in the
    header, the exploded options might be "Obvious fake, ignore",
    "Plausible fake used to improve delivery", "Apparently valid drop
    address for replies", "Possible Joe job", and "Other". (Of course
    there should be pop-up explanations for help, which would be easy if
    it's done as a radio button. Also, Google always needs to allow for
    "Other" because the spammers are so damn innovative. In the "Other"
    case, the second pass should call for an explanation of why it is
    "Other".)

    If the first pass analysis finds a URL, the exploded options should be
    things like "Drugs", "Stock scam", "Software piracy", "Loan scam",
    "419 scam", "Prostitution", "Fake merchandise", "Reputation theft",
    "Possible Joe job", and "Other". I think URLs should include a second
    radio button for "Registered Domain" (default), "Redirection",
    "Possible redirection", "Dynamic DNS routing", and "Other". (Or
    perhaps that would be another second-pass option?)

    If the first pass finds an email address in the body, the exploded
    options should include things like "Fake opt-out for address
    harvester", "419 reply path", "Joe job", and "Other".

    At the bottom of the expanded first pass analysis there should be some
    general options about the kind of spam and suggested countermeasures,
    and the submit SuperReport button. This would trigger the heavier
    second pass where Gmail's system would take these detailed results of
    the human analysis of the spam and use them to really go after the
    spammers in a more serious way. Some of the second pass stuff should
    come back to the person who received the spam for confirmation of the
    suggested countermeasures.

    Going beyond that? I think Gmail should also rate the spam reporters
    on their spam-fighting skills, and figure out how smart they are when
    they are analyzing the spam. I want to earn a "Spam Fighter First
    Class" merit badge!

    If you agree with these ideas--or have better ones, I suggest you try
    to call them to Google's attention. Google still seems to be an
    innovative and responsive company--and they claim they want to fight
    evil, too. More so if many people write to them? (I even think they
    recently implemented one of my suggestions to improve the Groups...
    However, it doesn't matter who gets credit--what matters is destroying
    the spammers.)
    • Re: (Score:3, Informative)

      by danpat (119101)
      Ever seen this list?

      http://craphound.com/spamsolutions.txt [craphound.com]

      Please tick the appropriate boxes....
      • Re: (Score:3, Insightful)

        by shanen (462549)
        Quite familiar with it, and it doesn't really apply to this suggestion, though I could shoehorn it into several categories. The form is broad enough that it will absorb anything, including your lunch. If you think it does apply without the big shoehorn, then please say why.

        That form was a funny joke the first few times it was used. Since thing it has simply become a generic excuse for "No, we cannot."

        Actually, I don't think there is any way to truly address the spam problem without dealing with the TANSTAAF
        • Ignore the form at your peril. There is no FUSSP.
          • by shanen (462549)
            At no point did I suggest that my suggest was a FUSSP. It is intended as a flexible and adaptive tool that would allow more people to do something constructive about reducing the amount of spam.

            The FUSSP is just another irrational argument for "No, we can't." The world is not perfect, and obviously there are no perfect solutions--but that doesn't mean we should just give up on good or even partial solutions.
    • Even their filtering is having troubles with false positives and false negatives--and the spam is just increasing.
      Got any evidence that this is true? Because my experience is the complete opposite. I get a couple of dozen spam messages a day and I haven't had a false positive or a false negative in well over a year.
      • by shanen (462549)
        I'm not too concerned about the false negatives in Gmail, though I see several of them per week. However, I am somewhat concerned with the false positives since they are hard to pick out of the spam. I can recall at least two cases of ham getting filed as spam by Gmail.

        Perhaps you don't get enough email? Even if the spam detection is 99.9% accurate, if you get 1,000 pieces of non-spam email, then one them will be tossed in the spam folder. Based on my data, I'd say that Gmail is probably higher than 99% but
        • Thinking about it further I have had false negatives in the last year - not more than 10, but not zero.

          I've been using gmail for just under 4 years and in that time I've received about 30,000 messages, 90% of which are from mailing lists. I've never had a false positive for me personally and I've only had a small number (<20) of false positives for mailing list emails (and none in the last year). Overall I think the detection is probably on the order of 99.5% accurate for me, but seems to have got bett

          • by shanen (462549)
            Actually that last topic you mentioned is a very interesting problem in itself, but I think it's too far from the current topic to really discuss more... However, just in case the /. editors are looking for ideas for new articles, think about the problem of a celebrity, politician, or public figure who will receive a large amount of non-spam email from unknown people...
    • Re: (Score:3, Funny)

      by calebt3 (1098475)
      Your post advocates a

      ( ) technical ( ) legislative ( ) market-based (*) vigilante

      approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

      ( ) Spammers can easily use it to harvest email addresses
      ( ) Mailing lists and other legitimate email uses would be affected
      ( ) No one will be able to find the guy or collect the mone
    • I'd love to see how my users do with this...

      If they're invited to a meeting by their manager and they don't want to deal with it, what do they do? Mark it as spam.
      They don't delete it, they don't move it, they don't decline it or accept it... they reported it as spam.

      Seriously guys, WTF?
  • 250 Accepted (Score:5, Interesting)

    by Anonymous Coward on Tuesday April 08, 2008 @09:08PM (#23007518)

    Yes, mail to an unknown recipient should be rejected with a 550 code during the initial SMTP dialogue. But not only that - lots of people believe that *any* message you don't intend to deliver should be rejected during the SMTP dialogue. The current fashion is to say "250 OK" and then silently delete the message later, which is wrong.

    I hate to toot my own horn here, but I wrote tarmail [ablative.org] with this express purpose in mind (among others). GPLed and everything. Messages that you won't accept get rejected during the SMTP dialogue.

    If you don't like my MTA, then please feel free to mod this down so that others won't be needlessly bothered. But I really to believe that Tarmail is the right answer to this specific problem. Thank you for your time.

    • Re: (Score:2, Insightful)

      by fortunato (106228)
      I'm not trying to belittle your effort in any way but, after reading over your page I have to ask, what exactly does tarmail do that postfix, or any other SMTP server commonly used these days doesn't?
      • KISS. Have you read the Postfix manual? Have you tried to make Postfix work with SpamAssassin and ClamAV? Now put that next to the one pager of tarmail.
        • Re:250 Accepted (Score:5, Interesting)

          by fortunato (106228) on Tuesday April 08, 2008 @10:34PM (#23008066)
          Yes actually I have. Postfix is extremely easy to set up with SpamAssassin. It requires cutting and pasting two configuration lines if you can't understand the manual and can do a google search. I suppose you could make the pedantic argument that it's twice as hard as tarmail since tarmail requires one line.

          In fact setting up ClamAV and SpamAssassin alone is orders of magnitude more complex.

          I might argue that if you have a hard time understanding the postfix manual you have no business running a mail server.

          In any case, I wasn't trying to compare, just trying to understand why it was worth the effort of yet another SMTP server.
    • Re: (Score:3, Interesting)

      by flyingfsck (986395)
      Neat. It is a pity I wasn't aware of your project earlier. It seems that it will make a straight and simple mail filter to place in front of an existing crappy insecure mail system like Exchange.
    • So, Mr. Tarmail, would you care to answer the following question: Can I easily use tarmail in front of my existing postfix/amavis/clamav/f-prot rig? I don't mind processing mail twice (or more, really) -- I've got plenty of CPU to spare. If your MTA is really as slick as you say, I would to make a somewhat easy transition away from my current, complicated arrangement and onto yours.

      (I'd research this myself, but I'm on my own time right now and would rather be looking into a strange issue with my car's p
    • Re:250 Accepted (Score:5, Interesting)

      by prockcore (543967) on Tuesday April 08, 2008 @09:53PM (#23007810)

      The current fashion is to say "250 OK" and then silently delete the message later, which is wrong.


      Since SMTP is defective by design, this is an acceptable response. Doing anything else allows spammers to confirm valid accounts using dictionary attacks.
    • by gweihir (88907)
      I do silent drops for relay requests. I believe that is the right way to deal with them, but not with other messages.

      The problem with the initial reject is that it creates the same problem, once removed, when done over an open relay. This way gmail keeps some control. I would be interested to see whether they are actually answering all messages or have some limiting in place. It is also quite possible that they never thought of this issue and their architecture does not allow initial reject at the moment. P
  • There is a good chance that in the future we will look back at this as the point at which the groupthink regarding Google as evil or not, flipped polarity.

    There has been an increase in the level of geek angst about Google (check out the Google App Engine post). I predict its only going to get worse and that by the end of the year most Google stories will be tagged "theNewMicrosoft" or as someone else suggested "theNewEvil". Of course, the fact that a bunch of geeks are no longer enamoured of Google will not
  • by Greg_D (138979) on Tuesday April 08, 2008 @09:22PM (#23007606)
    Google is one of the biggest culprits in the utter destruction of the highest traffic Usenet discussion newsgroups. The volume of spam that comes from those servers is ridiculous, not to mention all the former AOL idiots that were the scourge of the groups.
    • by 1u3hr (530656)
      Google is one of the biggest culprits in the utter destruction of the highest traffic Usenet discussion newsgroups. The volume of spam that comes from those servers is ridiculous, not to mention all the former AOL idiots that were the scourge of the groups.

      And almost as bad, if you use Google Groups to read and post, you see a great swamp of spam -- much of it FROM Google Groups accounts - (EG, take a look at comp.programming [google.com]) over recent weeks. Many ISPs no longer provide NNTP servers, Google Groups is

    • by STrinity (723872)
      And on top of that, their Usenet archive has been getting worse and worse ever since they aquired it from DejaNews. Trying to find old messages it a PITA.
  • Or at least, it's correctly refusing to accept mail for accounts that don't exist at my domain. (We're using Gmail for corporate email.)

    So it's googlegroups.com and blogger.com, but not Gmail? Interesting.
  • I don't think most spammers are trying to validate addresses. They find some open relay, and then unleash millions of addresses on it. If you don't believe me, create a generic mailbox somewhere. bill@somedomain.com, and see how long it takes to get spam. Especially if there is another mailbox on that domain that is already receiving spam.

    Now, I do believe hackers would want to get valid addresses, to get valid login information, or get bank login information, etc.

    Spammers are about bulk. They play the
  • This sort of behaviour is nothing new. qmail accepts all mail immediately and then if it bounces, generates its own bounce message and sends it back to the envelope sender. Relays, by necessity, do the same thing too. OK, so it would be nice if Google could reject the messages right away, but accusing them of being evil because of this is a huge stretch.
  • by gweihir (88907) on Tuesday April 08, 2008 @10:11PM (#23007930)
    There are three possibilities for email to non-existent addresses: Silent drop, initial bounce and delayed notification. All have problems.

    If the sender address is legitimate, but a relay is in the transmission chain, you have only bad choices: Silent drop may cause problems for legitimate emails. Initial bounce causes the observed problem, once removed and with real-time characteristics. The observed delayed notification behavior at least has the advantage that you can control the rate these messages are outgoing. A good strategy would be to intitially send one of these and then accumulate these per sender messages over, say 24h and send only one further notification per day. Incidentially, this strategy is something known to most people that ever implemented automatic notification emails on system failures...

    I think there is just no good way to deal with this issuse, as long as open, badly configures relays are around. It is also quite possible that the gmail designers never anticipated this and not are not readily able to respont in an adequate fashion (see the 24h accumulation, e.g.). That would possibly indicate a lack of competent security people involved in the design process. As these people are scarce everywhere, Google will also likely not have enough of them.

    On my own mailservers (small), I use silend drop for relay requests (which is definitely a good idea) and "drop into spambox" for unknown destinations. I look over these occasionally, and I have found legitimate email in there.

    I do agree that initial bounce sounds like the right strategy, but unfortunately it does have serious problems.

  • I don't get this article, I really don't. When mail arrives for a domain, and the main mail server for the domain is unreachable, it is supposed to be sent to the lower-priority MX hosts for that domain. They are required to accept it, and forward it to the primary MX for the domain once it becomes available. That's how MX records are supposed to work.

    Let me repeat that: they are required to unconditionally accept mail for the domain. So, unless I am missing something here, every single secondary mail h
    • Re: (Score:3, Informative)

      by schon (31600)

      Let me repeat that: they are required to unconditionally accept mail for the domain.

      Bull. Fucking. Shit.

      Please show me the RFC that states you must accept email for addresses that you know are invalid.

      There is *NO* such rule. If your backup MX blindly accepts mail for every address, then it is broken. Backup (actually *any*) MX should only accept mail that it knows (or has good reason to assume) it can deliver.

      If I'm wrong, or I've missed something, please by all means correct me.

      Please consider yourself corrected.

      Since when is it considered bad form to send a NDR?

      Mu. It's bad form to send an NDR when you shouldn't have accepted the mail in the first place - which is the problem here.

  • by IonOtter (629215) on Tuesday April 08, 2008 @11:31PM (#23008568) Homepage
    Why doesn't Google go with the Blue Frog/Security Method [wikipedia.org]?

    It was the ONLY thing that worked. In fact, it worked so well that the spammers had to declare open warfare against them.

    Hah! Let's see them try THAT with Google. Oh, and seeing all of Google's Gmail customers becoming virtual BlueFrogs by default would be pretty cool, too!

  • by arcade (16638) on Wednesday April 09, 2008 @03:01AM (#23009920) Homepage
    This behaviour isn't WRONG wrong, but it's not very good practice any more.

    There are some problems here.. First of all, what if the server in question doesn't know what users are 'good' or not? Say, if it's a backup MTA? The non-primary MX? Which are receiving mail due to the primary being down?

    Quite common for them not to know about all the email accounts.

    Now, problems with backscatter has been there for a while. It's certainly not nice, but there are only so many things one can do. If you read the original RFCs, Google's behaviour is entirely acceptable. Unfortunately the original RFCs for SMTP was written way before spam became a problem...

    Other MTAs are "just as bad". Look at qmail for example. This is default behaviour in qmail. It'll accept any email without confirming whether the recipient exists or not (to prevent in-line data-mining of what accounts are there and what accounts aren't there). If the email is to a bogus recipient address, qmail will generate a bounce.

    This bounce will go to the From: address.

    And that's QMAIL - which is considered a secure mta.

    Then you have the same problem, as I've mentioned, occuring when you've got a secondary MX which doesn't have a list of users. The choices for the MTA is to either create a bounce and inform the sender that the recipient doesn't exist - or you might silently discard the message. Neither are good options.

    SMTP is kind of broken. Don't blame google for it. Different people consider different things best practices. I don't agree with googles practice in this particular case, while others would claim it's the only proper behaviour.

  • Collateral spam (Score:3, Insightful)

    by soccerisgod (585710) on Wednesday April 09, 2008 @03:16AM (#23010004)

    Is what I know this as. I used to get so much spam it drove me crazy. I set up filter rule after rule, used RBLs and everything but it only helped partially. I could still live with it. But eventually, I was hit by huge waves of collateral spam and eventually got more of that then the real thing*, and that was when I decided email was either going to be entirely useless to me or I had to do something very drastic.

    I opted for something drastic. I still have a large number of filter rules, but in addition to that, I use a whitelist instead of a blacklist to filter email, and everything not on my whitelist that survives the spam filter rules ends up in a bulk mail folder I check about once a week. Now if someone I don't know emails me, that stinks, and I constantly have to adjust my whitelist to allow for more addresses, but at least I barely see any spam - real or collateral - anymore. Without that I'd have given up on spam altogether.

    *) In the order of several 1000 a day

  • MFROM signing (Score:3, Insightful)

    by CustomDesigned (250089) on Wednesday April 09, 2008 @08:11AM (#23011248) Homepage Journal
    There is a simple solution to forged DSNs (bounces). Sign the MAIL FROM of your outgoing mail with something like SRS or BATV: SRS0=keTrY=UY==user@example.com All bounces (MAIL FROM is empty) must be directed to a signed localpart with a valid hash key. If not, the bounce is immediately rejected, with a snooty message if so desired.
  • Google clueless? (Score:3, Interesting)

    by sustik (90111) on Wednesday April 09, 2008 @10:50AM (#23012892)
    I was under the impression until now that Google (as a business and its employees) are technically quite savy. Seems quite strange that they are clueless about spam.

    From Wikipedia:
    "Since these messages were not solicited by the recipients, are substantially similar to each other, and are delivered in bulk quantities, they themselves can qualify as unsolicited bulk email or spam. As such, systems that generate e-mail backscatter can end up being listed on various DNSBLs and be in violation of ISPs Terms-of-Service for being abusive."

    So please help Google get a clue: look in your (spam) folder and if you find any of the emails mentioned, report it to spamcop.com. If everyone just submits one report, I am sure this will get resolved (Google will not let themselves be blacklisted for long for non-complience).

    By the way, backscatter spam is a serious problem, and I am quite appeled when even ivy league school admins have no clue about it... There should be a shamelist for sysadmins as well who do not cooperate with efforts against spam (even if only out of ignorance/stupidity or even more so).
     

"Let every man teach his son, teach his daughter, that labor is honorable." -- Robert G. Ingersoll

Working...