Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Mail Servers Enable Backscatter Spam

kdawson posted more than 6 years ago | from the ricochet-attack dept.

Google 344

Mike Morris writes "Google email servers are responsible for a large volume of backscatter spam. No recipient validation is being performed for the domains googlegroups.com and blogger.com — possibly for other Google domains as well, but these two have been confirmed. (You can test this by sending an email to a bogus address in either of the domains; you'll quickly get a Google-generated bounce message.) Consequently spammers are able to launch dictionary attacks against these domains using forged envelope sender addresses. The owners of these forged addresses are then inundated with the bounce messages generated by the Google mail servers. The proper behavior would be for the mail servers to reject email traffic to non-existent users during the initial SMTP transaction. Attempts at contacting them via abuse@google.com and postmaster@google.com have gone unanswered for quite some time. Only automated responses are received which say Google isn't doing anything wrong."

cancel ×

344 comments

Sorry! There are no comments related to the filter you selected.

Translation (5, Funny)

conner_bw (120497) | more than 6 years ago | (#23007408)

My mom's was getting a ton of spam and she kept calling me day and night, saying her computer was broken. I tried to resolve the problem by contacting Google but they ignored me. The only option left was to badmouth them on the front page of Slashdot so the bad PR would force them to fix her problem. MOM, YOU CAN STOP CALLING ME NOW OK!!!

Re:Translation (1, Funny)

Anonymous Coward | more than 6 years ago | (#23007516)

Translation: Everything that Google does wrong is actually right. When I think about Google I imagine that it's a big red penis that I can suck.

Re:Translation (4, Funny)

Anonymous Coward | more than 6 years ago | (#23007710)

Don't worry. GoogleBackscatter is currently in Beta. When it goes into production backscatter will be even better!

Google Hates Niggers (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23007414)

Some guy I know works at google and he said they all are nigger haters. Its sad when people in this world are that ignorant. I don't mind the niggers that much. Sometimes they are nice but I don't like how they use up a lot of tax payers money with welfare. These niggers need to learn a little something called hard work and reading.

Re:Google Hates Niggers (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23007436)

Don't act like your shit doesn't stink.

NO ONE likes niggers. Niggers don't even like niggers.

*goes change his gmail password* (4, Interesting)

aleph42 (1082389) | more than 6 years ago | (#23007432)

*goes change his gmail password*

Seriously though, there's something else that bothers me about gmail (not the only one to do it): that apparently anyone can get your contact list if they have your address.

Ever happened to you? I was signing up on a music website with a gmail address, and then they asked me if I wanted to send invites to all my contacts, which magicaly appeared on their page. Even if it is apparently a common practice, I find it very disturbing.

Re:*goes change his gmail password* (5, Informative)

Anonymous Coward | more than 6 years ago | (#23007454)

Did you have an active session with gmail going at the time? As in, you didn't click "log out"?

Mod Parent Up (3, Informative)

Anonymous Coward | more than 6 years ago | (#23007752)

This is *exactly* why I do my email separate from all other browsing. It's not even unique to Google, they're just the biggest target.

If you want to use email securely:
* Use 'clear private data' to wipe everything out.
* Visit your webmail site (copy any links you want to visit to a text file for later).
* Read/send email.
* Log out.
* Use 'clear private data' again.

Anything less risks having information stolen.

Re:Mod Parent Up (4, Informative)

techno-vampire (666512) | more than 6 years ago | (#23007868)

If you want to use email securely:


Use POP3 for all your email. That way no website can ever get access to your contacts or personal data.

Re:Mod Parent Up (0)

supernova_hq (1014429) | more than 6 years ago | (#23007952)

Or simply use IMAPI...

Re:*goes change his gmail password* (5, Funny)

conner_bw (120497) | more than 6 years ago | (#23007480)

No, this has never happened to me.

Ever.

What kind of "music" site were you on?

The "russian" kind?

Re:*goes change his gmail password* (0)

Anonymous Coward | more than 6 years ago | (#23007640)

Facebook can do it too. As can several other social networking sites. Typically, you have to give permission to access your contacts.

Re:*goes change his gmail password* (3, Informative)

DarkAxi0m (928088) | more than 6 years ago | (#23007696)

Facebook can do it too. As can several other social networking sites. Typically, you have to give permission to access your contacts.
I think you have to give them you gmail password, or hotmail or whatever as well as permission

Re:*goes change his gmail password* (5, Informative)

i.of.the.storm (907783) | more than 6 years ago | (#23007774)

Yeah, Facebook actually asks for your gmail password, so do other sites. A bit shady, but I trust those sites not to store it because there'd be hell to pay if anyone found out otherwise.

Re:*goes change his gmail password* (1)

soulfury (1229120) | more than 6 years ago | (#23008006)

No, this has never happened to me. Ever. What kind of "music" site were you on? The "russian" kind?
You mean the music that you download and sing to?

Re:*goes change his gmail password* (4, Interesting)

dfay (75405) | more than 6 years ago | (#23007698)

I had the same thing happen.

LinkedIn asks me if I want to "connect" to certain people that I know for sure my only contact with them has been through mail on my gmail account. LinkedIn *can* mine your gmail account for you if you provide your account info to them, but I certainly never used that feature, so it was a bit alarming to see all of my gmail contacts showing up.

Personally, I don't care if they are not the only ones to do it. They shouldn't be giving out our personal info. I did expect them to use my info to provide context-sensitive ads, but I did not expect them to share my info with other companies without my explicit permission.

Not to mention, if you and I both saw it on sites that ostensibly have no relationship with google, it's possible that anyone that can hook to their Soap API can get your contact list.

Re:*goes change his gmail password* (5, Funny)

Anonymous Coward | more than 6 years ago | (#23008192)

Strange things happen in the internet, The other day I was navigating in the internet and my wife was watching the screen, and when I was typing a url, a nasty porn site appeared as autocompleted, I swear I never visited the site. I'll show this google account problem to my wife, she might believe me now.

And google wonders why ... (4, Insightful)

micheas (231635) | more than 6 years ago | (#23007442)

They are getting tagged with the moniker "the new evil".

I wonder how much of this has to do with the Microsoft to Google employee migration bringing the corporate culture with the people?

Re:And google wonders why ... (4, Funny)

conner_bw (120497) | more than 6 years ago | (#23007506)

Won't somebody please think of the driveways!

Re:And google wonders why ... (3, Insightful)

Slotty (562298) | more than 6 years ago | (#23007556)

Google lost the right to title of being the good guys when they went public. Their only loyalty is now owed to that of the shareholders. They seek out an improved shareprice as the primary goal. Anything less betrays the investors. Blaming the "evil" on migrating employees fails to take into account of the simple fact that the culture once linked with google can not exist as it once was because the wonderful $ has once again swooped in.

Re:And google wonders why ... (4, Insightful)

dnoyeb (547705) | more than 6 years ago | (#23007804)

Scapegoating the shareholders as an excuse for executive abuse is getting old.

Re:And google wonders why ... (3, Insightful)

gumbi west (610122) | more than 6 years ago | (#23007954)

So let me get this straight, the share holders want google to allow backscatter spam?

  1. allow backscatter spam
  2. ???
  3. profit!

Re:And google wonders why ... (5, Funny)

mingot (665080) | more than 6 years ago | (#23007974)

Wow, only on slashdot does microsoft get the blame for google being evil.

Nothing new here... (-1, Offtopic)

msauve (701917) | more than 6 years ago | (#23007450)

Damn clueless noobs. Just because they hired Vint Cerf, doesn't mean they know what they're doing. Oh, and they'll send bounces repeatedly, too.

Do no evil, my ass.

just point it out to them more clearally. (5, Interesting)

Anonymous Coward | more than 6 years ago | (#23007456)

forged from: abuse@[domain]
to: bogus@[domain]
You have issues.

If they have back scatter, they get it. If they don't have back scatter, they don't.

Proper? (5, Insightful)

EdIII (1114411) | more than 6 years ago | (#23007460)

The proper behavior would be for the mail servers to reject email traffic to non-existent users during the initial SMTP transaction.


Ummm, how about the only behavior .

It never ceases to amaze me how some mail server administrators setup policies on their networks. If you are running a mail server you are THE POSTMASTER. If you don't know where it should go, or who it is supposed to be going to, how can you accept it?

Refusing email and stopping the transaction when you do not control the domain, service the domain, or even know the mailbox user is about as obvious a policy as not relaying for domains outside of your control.

If it is an honest mistake on the part of the sending server, acting as an agent for the user, then a simple message informing the sender that the account does not exist is a trivial matter.

To do anything else just amazes me.

Re:Proper? (0)

Anonymous Coward | more than 6 years ago | (#23007748)

I hate mail servers that bounce messages period.

A lot of "spam" I get is actually bounced messages (unknown recipient, etc) from poorly configured servers. I mean don't administrators realize that it's easy to forge the "From" address? The fucking idiots are bouncing messages into my mailbox just because some random asshole is using my e-mail address.

Re:Proper? (3, Insightful)

Anonymous Coward | more than 6 years ago | (#23007798)

Maybe they're concerned about bots using those responses as a means to harvest valid email addresses. If you send it for invalid ones, then I can assume that when you don't send it, it's a legit account.

Re:Proper? (3, Informative)

schon (31600) | more than 6 years ago | (#23007904)

If you send it for invalid ones, then I can assume that when you don't send it, it's a legit account.
That's absurd logic.

got a tip for you:

spammers don't care if the addresses are valid or not

What you describe is called a 'rumplestiltskin' attack - it's well known, and nobody has ever suggested that the best way to counter it is to start spamming people with backscatter.

Re:Proper? (0)

Anonymous Coward | more than 6 years ago | (#23008142)

Actually, spammers *do* care if the addresses are valid or not. Originally they didn't, but in recent days, they've taken a great interest in it.

Imagine how many spammers are reading this /. thread right now?

Re:Proper? (0)

Anonymous Coward | more than 6 years ago | (#23007984)

If your mail server accepts any e-mail address then your server will be absolutely flooded with requests because spammers love that. They will assume you have a catch-all which all this mail will be delivered to.

What I do on my servers is block them in iptables they are trying random e-mail accounts. I also block them in iptables if they show up in the IP blacklist. It's all automated which a Lua script I wrote.

Re:Proper? (1)

davolfman (1245316) | more than 6 years ago | (#23007824)

Actually that's how they're doing it. Messages with forged From addresses are being sent out and the message from Google saying the address is wrong is going to the forged From address. This is allowing spammers to bypass the restrictions that are supposed to prevent GMail users from receiving spam.

Re:Proper? (4, Insightful)

EdIII (1114411) | more than 6 years ago | (#23008254)

Actually that's how they're doing it.


I am not sure what "it" refers to. We are talking about two different things here, which is what occurs inside a SMTP transaction and what occurs outside of it.

Inside these SMTP transactions nothing is occurring that is facilitating the delivery of SPAM directly. Just the harvesting of good addresses for those domains. Afterwards, they can use the good addresses to send SPAM directly to those mail boxes.

What is stupid here, and I use that word deliberately, is Google's apparent policies. Regardless of any other considerations, you should not be sending bounce messages to FROM headers. Any action taken should occur within the SMTP transaction with 5xx or 2xx codes. Doing so is, for lack of a better word, just plain STUPID. When those FROM headers contain users within your own domains makes it just that much more retarded. Why would you be sending a bounce message to your own user from activity that did not originate within your own systems? Last time I checked you would not be doing so.

Any messages that came from your own users would be through authenticated SMTP transactions and any recipient errors would have bounce messages routed locally back to the sender. You don't even need the FROM header if it is in an authenticated session from your own user. You already knew which user it was from the authentication process. If you have SMTP transactions, that are not authenticated in most cases, coming from systems outside of your direct control, then it can't be from your users and therefore you should not be sending messages to them.

As for the SMTP transactions themselves being used for harvesting there are other methods to deal with that. You don't need to bug the crap out of your own users doing it either.

If I have a SMTP transaction attempt delivery to an unknown address outside of my domains (relaying), I explicitly add them to the block lists for 60 minutes. Sending mail servers should be using the domain in the TO header to obtain MX records of my mail server. For my mail server to get a message for domains that I don't control is a huge red flag. If it is to an unknown address within my domains I block them for 20 minutes, but only after 3 such transactions within 10 minutes. That will allow any honest typos from stopping service from valid mail servers.

When you get a ton of these SMTP transactions in a row maybe, just maybe now, you should be adding that IP address to a dynamic suppression system for longer periods of time, like say weeks. Here is the kicker too, if these SMTP transactions came from a Zombie machine then you are not even interfering with that person's ability to send mail since they will be doing through a web based email system such as Google or an email client that will send their email (through an authenticated session) to a real mail server that will then send it out.

There is a LOT more to this, but I can tell you that Google is doing it in about the stupidest way possible right now. That's just my opinion, but I do operate several mail servers right now and I can't see anything smart about these policies.

Re:Proper? (1)

Terri416 (131871) | more than 6 years ago | (#23007880)

I've used a few MTAs over the years, and each has it's own baked-in assumptions about virtual domains, queuing, bounces, etc.
Exim, for instance, has an almost paranoid aversion to queuing. It wants to deliver the mail or reject it NOW! No waiting. No queuing. It resolves all addresses, bursts bulk emails only when unavoidable, and does this before actually accepting the email. Exim only queues when there is a real temporary failure such as a non-responsive downstream MTA.
Postfix, on the other hand, absolutely must queue all mail before resolving addresses. For this reason it must accept email regardless.
I'd guess Google don't use Exim.

Re:Proper? (2, Informative)

Artefacto (1207766) | more than 6 years ago | (#23007996)

That would be the best thing to do, but it's not always trivial. In fact, sometimes it's impossible [slashdot.org] .

I've seen e-mail setups where after the mail is sent to the servers in MX records it goes through several MTAs until it's finally delivered. In order to be possible to reject the e-mail at SMTP time, you'd have to do some kind of synchronization between the MTAs so that the MX server could know whether the addresses exist. Plus, the same domain could read users from several databases at the same time (e.g. mysql, /etc/passwd, LDAP, ...) which would complicate synchronization even more.

Re:Proper? (1)

oyenstikker (536040) | more than 6 years ago | (#23008028)

It doesn't even have to be a complex setup. One primary MX that knows the accounts, and one backup MX that accepts everything for its domains and relays it all to the primary.

Re:Proper? (2, Insightful)

Arrogant-Bastard (141720) | more than 6 years ago | (#23008038)

This should be printed out in 72-point type and stapled to the forehead of any mail system administrator who hasn't already made their operation do exactly this. There are no excuses: numerous techniques for accomplishing this, even in multiple-server, multiple-tier environments have been well known for a decade.

Those who fail are likely to find themselves on numerous blacklists -- correctly listed as spammers.

In beta (4, Insightful)

SkullOne (150150) | more than 6 years ago | (#23007466)

Didn't anyone notice that Gmail is still in beta?

FWIW, I use Google Apps to host my e-mail, and I have found Google to have horrible support.
Instead of fixing the problem, they'll just point you to a loosely moderated Google Groups newsgroup for Google apps, and you'll rarely receive a response, let alone a workable fix for an issue.

Do no evil? Or do nothing at all?

Re:In beta (1)

speaktruth (1082461) | more than 6 years ago | (#23008208)

I also have google apps for my domain, and not the free kind. a recent calendar issue surrounding recurring events span daylight savings time led me to call the support line. after about 5 minutes o ringing it just stopped. a couple more tries gave the same result. when i finally got someone through chat they said that the problem was not an issue because the calendar is supposed to work that way. I couldn't get an explanation as to why on earth it would jumble all of my events on purpose. when i prodded they literally ignored me. this is the app and support I am paying for. I am losing faith.

Inaccurate title/summary (4, Insightful)

Schraegstrichpunkt (931443) | more than 6 years ago | (#23007472)

Sending to example12345@googlegroups.com, I get this (my email address replaced with name@example.com):

Hello name@example.com,

We're writing to let you know that the group that you tried to contact (example12345) doesn't exist. There are a few possible reasons why this happened:

* You might have spelled or formatted the group name incorrectly.
* The owner of the group removed this group, so there's nobody there to contact.

If you have questions about this or any other group, please visit the Google Groups Help Center at http://groups.google.com/support [google.com] .

Thanks, and we hope you'll continue to enjoy Google Groups.

The Google Groups Team

In other words, while this causes backscatter, this is not an avenue for "backscatter spam", since Google isn't delivering the contents of arbitrary messages to arbitrary users.

It sounds like the submitter wants to blow this out of proportion by equating general backscatter (which nearly all mailing list managers on the Internet generate with their "confirmation" messages) with backscatter spam.

Re:Inaccurate title/summary (4, Informative)

ceejayoz (567949) | more than 6 years ago | (#23007560)

*checks*

Hey, look. It's a kdawson article!

Re:Inaccurate title/summary (1)

v1 (525388) | more than 6 years ago | (#23007820)

it? you mean they. The last 9 articles are kdawson... wow.

Re:Inaccurate title/summary (1)

Chris Mattern (191822) | more than 6 years ago | (#23007918)

And the fourteen before those are all from Zonk...double wow.

Re:Inaccurate title/summary (3, Informative)

ikkonoishi (674762) | more than 6 years ago | (#23007618)

Just because some spam is advertising does not mean that all spam is advertising. The point here would be to fill someone's inbox with bogus messages.

Re:Inaccurate title/summary (5, Informative)

NMerriam (15122) | more than 6 years ago | (#23007692)

You're being either overly literal, or trying to create a distinction where there isn't much of one.

No, the responses don't contain an original message, nor are they commercial or anything like that, but the spammy thing about this form of backscatter is about the VOLUME and indiscriminate nature of the mail, not the content.

This isn't being blown out of proportion at all. It's nothing like a mailing list sending a confirmation. No spammer is going to send a million messages with different forged addresses to a single email address (the subscribe address) -- that defeats the whole purpose of spamming, which is to contact DIFFERENT addresses!

What google has done is open a wildcard on some domains so that anyone launching a dictionary attack on googlegroups.com will send a million messages TO a million different addresses FROM a million different forged addresses. Google then sends a million bounces back to a million different addresses, and if you run a domain that the spammer used as their "from", you suddenly get tens or hundreds of thousands of identical bounce messages from Google. THAT is backscatter spam -- thousands of useless messages sent to forged addresses on your domain, regardless of content. And no mail server in 2008, much less one run by a major tech company, should make that possible.

MOD PARENT UP (2)

martin-boundary (547041) | more than 6 years ago | (#23007732)

The google fanboys are wrong on this one.

Re:Inaccurate title/summary (1)

ScrewMaster (602015) | more than 6 years ago | (#23007960)

And no mail server in 2008, much less one run by a major tech company, should make that possible.

Just because one isn't evil, doesn't mean one is competent or incapable of error.

Re:Inaccurate title/summary (1)

Schraegstrichpunkt (931443) | more than 6 years ago | (#23008008)

What google has done is open a wildcard on some domains so that anyone launching a dictionary attack on googlegroups.com will send a million messages TO a million different addresses FROM a million different forged addresses. Google then sends a million bounces back to a million different addresses, and if you run a domain that the spammer used as their "from", you suddenly get tens or hundreds of thousands of identical bounce messages from Google.

Yes, but the contents of the message can't be controlled in any meaningful way, so as you said:

No spammer is going to send a million messages with different forged addresses ...

... unless they can control the content of those messages.

The distinction is obvious. If spammers can't control the contents of the bounces, the bounces won't get them paid.

Re:Inaccurate title/summary (2, Informative)

FliesLikeABrick (943848) | more than 6 years ago | (#23007786)

There are a few important differences

1) mailing list confirmations can't be used by spammers to identify existing or non-existing e-mail addresses
2) spammers, unlike your test, will use spoofed From: headers, making the mail you got be bounced back to someone who wasn't involved in the first place
3) yes, right now (1) isn't true for Google either, since they accept all mail, but that is indeed the problem right now, and there are stupid spammers out there who will blast thousands upon thousands of e-mails off to google to see what gets rejected (when they assume that there will be rejections during the initial SMTP conversation)

While it isn't backscatter spam since the initial content isn't delivered, it is still backscatter and Google is still doing the wrong thing. We all know that submitters to /. often get the wrong terms (look at how often "bricked" is used wrongly... we even have a tag for it). I'd bet that more of these wrong terms are due to ignorance than to people trying to spread FUD and blow things out of proportion. Maybe it is time for a !backscatterspam tag if this bothers you so much

Re:Inaccurate title/summary (1)

eonlabs (921625) | more than 6 years ago | (#23008004)

Can you tell me a mail service that doesn't announce to a sender when a letter failed to reach its intended destination?

You're telling me that you would prefer thinking that you sent an e-mail to someone, and that they received it, even if you mistyped the address by one letter?

I don't see what they're doing as wrong at all. They aren't bouncing the original message, so spam is not originating from google's domains. They're also announcing e-mails which failed to arrive at their intended destination.

Re:Inaccurate title/summary (1)

FliesLikeABrick (943848) | more than 6 years ago | (#23008088)

Rejection during the initial SMTP conversatoin will still cause mail to go back to the sender saying that it wasn't received. It doesn't just disappear into the ether. This is how MOST e-mail servers on the face of the planet work.

The server trying to deliver mail (server X) contacts the destination server (server Y). The destination server immediately says "nope, sorry, that user doesn't exist" so server X sends a mail back to the sender saying "Server Y said 'user not found in user lookup'" or somesuch. Look through any failed mail delivery you have in your inbox and I bet you'll find a bunch like this, assuming you've fatfingred e-mail addresses in the past.

Read any mailop mailing list and you'll see mention of backscatter as a bad thing, regardless of whether or not it contains the original contents.

Re:Inaccurate title/summary (1)

MichaelSmith (789609) | more than 6 years ago | (#23008234)

The destination server immediately says "nope, sorry, that user doesn't exist" s

But then the remote system has a way to find out what usernames do *not* exist on the SMTP server, and via a (now very fast) dictionary search can get a list of valid usernames.


There is a reason why most interactive logins do not tell you which you got right or wrong: the username or password.


Once your usernames are known a dictionary attack against passwords is much easier. This is why root should never accept ssh logins.

Re:Inaccurate title/summary (1)

Bogtha (906264) | more than 6 years ago | (#23008166)

1) mailing list confirmations can't be used by spammers to identify existing or non-existing e-mail addresses
2) spammers, unlike your test, will use spoofed From: headers, making the mail you got be bounced back to someone who wasn't involved in the first place

You can't have it both ways. If they use a forged From header, then they can't test whether an address exists or not. If they don't forge the From header so that they can validate the address, then there's no backscatter, because the spammer needs to pick up the reply.

3) yes, right now (1) isn't true for Google either

Wait, so of a three point list, one of the points is not a problem and another of the points is pointing out that the other point isn't a problem? It sounds like you have a chip on your shoulder or something.

Re:Inaccurate title/summary (1)

erice (13380) | more than 6 years ago | (#23007874)

Looks like a good method, if you ask me. I'm amazed that the OP thought that rejecting was a good idea while claiming that Google's method enabled dictionary attacks. Rejecting makes dictionary attacks much easier. No need to parse or even receive bounces. Validation is provided promptly in an easy to parse return code.

A suggestion for Gmail spam-fighting (5, Interesting)

shanen (462549) | more than 6 years ago | (#23007484)

Basically Gmail is losing value for all of us as it becomes spam
soaked. Even their filtering is having troubles with false positives
and false negatives--and the spam is just increasing. Therefore I
think Google should act more aggressively to drive the spammers away
from Gmail.

My latest anti-spam idea is a SuperReport option. (Kind of like
SpamCop, but not so lazy.) If you click on the SuperReport option,
Gmail would explode the spam and try to analyze it for you to help go
after the spammers more aggressively. Here is one approach to
implementing it:

The first pass analysis would be a low-cost quickie that would also
act like a kind of CAPTCHA. This would just be an automated pass
looking for obvious patterns like email addresses and URLs. The email
would then be exploded and shown to the person making the report (=
the targeted recipient of the spam AKA victim). The thoughtful
responses for the second pass would guide the system in going after
the spammers--making Gmail a *VERY* hostile environment for spammers
to the point that they would stop spamming Gmail.

For example, if the first pass analysis finds an email address in the
header, the exploded options might be "Obvious fake, ignore",
"Plausible fake used to improve delivery", "Apparently valid drop
address for replies", "Possible Joe job", and "Other". (Of course
there should be pop-up explanations for help, which would be easy if
it's done as a radio button. Also, Google always needs to allow for
"Other" because the spammers are so damn innovative. In the "Other"
case, the second pass should call for an explanation of why it is
"Other".)

If the first pass analysis finds a URL, the exploded options should be
things like "Drugs", "Stock scam", "Software piracy", "Loan scam",
"419 scam", "Prostitution", "Fake merchandise", "Reputation theft",
"Possible Joe job", and "Other". I think URLs should include a second
radio button for "Registered Domain" (default), "Redirection",
"Possible redirection", "Dynamic DNS routing", and "Other". (Or
perhaps that would be another second-pass option?)

If the first pass finds an email address in the body, the exploded
options should include things like "Fake opt-out for address
harvester", "419 reply path", "Joe job", and "Other".

At the bottom of the expanded first pass analysis there should be some
general options about the kind of spam and suggested countermeasures,
and the submit SuperReport button. This would trigger the heavier
second pass where Gmail's system would take these detailed results of
the human analysis of the spam and use them to really go after the
spammers in a more serious way. Some of the second pass stuff should
come back to the person who received the spam for confirmation of the
suggested countermeasures.

Going beyond that? I think Gmail should also rate the spam reporters
on their spam-fighting skills, and figure out how smart they are when
they are analyzing the spam. I want to earn a "Spam Fighter First
Class" merit badge!

If you agree with these ideas--or have better ones, I suggest you try
to call them to Google's attention. Google still seems to be an
innovative and responsive company--and they claim they want to fight
evil, too. More so if many people write to them? (I even think they
recently implemented one of my suggestions to improve the Groups...
However, it doesn't matter who gets credit--what matters is destroying
the spammers.)

Re:A suggestion for Gmail spam-fighting (2, Informative)

danpat (119101) | more than 6 years ago | (#23007590)

Ever seen this list?

http://craphound.com/spamsolutions.txt [craphound.com]

Please tick the appropriate boxes....

Re:A suggestion for Gmail spam-fighting (2, Insightful)

shanen (462549) | more than 6 years ago | (#23007704)

Quite familiar with it, and it doesn't really apply to this suggestion, though I could shoehorn it into several categories. The form is broad enough that it will absorb anything, including your lunch. If you think it does apply without the big shoehorn, then please say why.

That form was a funny joke the first few times it was used. Since thing it has simply become a generic excuse for "No, we cannot."

Actually, I don't think there is any way to truly address the spam problem without dealing with the TANSTAAFL problem. The creators of email pretended that it would be mutually beneficial, so they did not need to design any accounting into it. While I actually admire Al Gore, I feel like I have to blame him as the root of the spam problem. He kept telling them 'Don't worry about the money--I'll get it for you.'

Re:A suggestion for Gmail spam-fighting (1)

Russ Nelson (33911) | more than 6 years ago | (#23007846)

Ignore the form at your peril. There is no FUSSP.

Re:A suggestion for Gmail spam-fighting (1)

shanen (462549) | more than 6 years ago | (#23007976)

At no point did I suggest that my suggest was a FUSSP. It is intended as a flexible and adaptive tool that would allow more people to do something constructive about reducing the amount of spam.

The FUSSP is just another irrational argument for "No, we can't." The world is not perfect, and obviously there are no perfect solutions--but that doesn't mean we should just give up on good or even partial solutions.

Re:A suggestion for Gmail spam-fighting (1)

RedWizzard (192002) | more than 6 years ago | (#23007592)

Even their filtering is having troubles with false positives and false negatives--and the spam is just increasing.
Got any evidence that this is true? Because my experience is the complete opposite. I get a couple of dozen spam messages a day and I haven't had a false positive or a false negative in well over a year.

Re:A suggestion for Gmail spam-fighting (1)

shanen (462549) | more than 6 years ago | (#23007736)

I'm not too concerned about the false negatives in Gmail, though I see several of them per week. However, I am somewhat concerned with the false positives since they are hard to pick out of the spam. I can recall at least two cases of ham getting filed as spam by Gmail.

Perhaps you don't get enough email? Even if the spam detection is 99.9% accurate, if you get 1,000 pieces of non-spam email, then one them will be tossed in the spam folder. Based on my data, I'd say that Gmail is probably higher than 99% but definitely less than 99.9%--but possibly much lower. It's quite possible that I've simply lost some valid email because I didn't look carefully enough at the spam.

Re:A suggestion for Gmail spam-fighting (1)

RedWizzard (192002) | more than 6 years ago | (#23007840)

Thinking about it further I have had false negatives in the last year - not more than 10, but not zero.

I've been using gmail for just under 4 years and in that time I've received about 30,000 messages, 90% of which are from mailing lists. I've never had a false positive for me personally and I've only had a small number (<20) of false positives for mailing list emails (and none in the last year). Overall I think the detection is probably on the order of 99.5% accurate for me, but seems to have got better lately, not worse.

Obviously usage specifics matters - I don't get many emails from people I haven't previously emailed so almost all of my personal emails can be validated against addresses I've previously sent to. I'd expect someone who gets valid email from strangers to have a higher number of false positives.

Re:A suggestion for Gmail spam-fighting (1)

shanen (462549) | more than 6 years ago | (#23007946)

Actually that last topic you mentioned is a very interesting problem in itself, but I think it's too far from the current topic to really discuss more... However, just in case the /. editors are looking for ideas for new articles, think about the problem of a celebrity, politician, or public figure who will receive a large amount of non-spam email from unknown people...

Re:A suggestion for Gmail spam-fighting (0)

Anonymous Coward | more than 6 years ago | (#23007950)

Periodically, Gmail will tag a Google Alert as spam. Also, Gmail has tagged email from another gmail sender as spam. As a result, I monitor the spam folder more diligently for false positives. I average 30-50 spams per day.

I've seen about 3-4 spams hit the inbox since Gmail began.

Re:A suggestion for Gmail spam-fighting (1)

qmaqdk (522323) | more than 6 years ago | (#23007614)

...the human analysis of the spam and use them to really go after the
spammers in a more serious way. ...
Although I think your idea would catch the "casual spammer", I don't think this will work for the big fish. These guys use exploits on Joe-six-pack's computer to send the spam. Even if you get the computer that sent the spam there would be a million more computers they could use. And Joe-six-pack probably wouldn't be happy.

With SMTP as it currently is, I can't see how (aside from filtering) we can avoid spam.

Re:A suggestion for Gmail spam-fighting (2, Insightful)

shanen (462549) | more than 6 years ago | (#23007772)

I guess that's the thing that most amazes me about the spam problem... Many of the big-time spammers are clearly large-scale criminals advertising their criminal wares, and apparently we are unable to do anything about it?

Just this week they apparently discovered a botnet larger than Storm. (http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/) The report says that the botnet was spewing out vast quantities of spam for the usual quasi-legal scams. So how the heck could they miss it? Possible answer: Because the filtering approach was mostly working.

Remember that the spammers are dividing by zero. At least that's how they think about it. If another million spams finds one more sucker to send them $39, then they think the RoI was $39/0 = infinity. They aren't concerned with your spam filters. If you're smart enough to filter their spam, then you probably aren't dumb enough to send them the money--but they're still hoping to catch you with their next scam.

Re:A suggestion for Gmail spam-fighting (3, Funny)

calebt3 (1098475) | more than 6 years ago | (#23007702)

Your post advocates a

( ) technical ( ) legislative ( ) market-based (*) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(*) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(*) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(*) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:A suggestion for Gmail spam-fighting (1)

galimore (461274) | more than 6 years ago | (#23007712)

Basically Gmail is losing value for all of us as it becomes spam
soaked. Even their filtering is having troubles with false positives
and false negatives--and the spam is just increasing. Therefore I
think Google should act more aggressively to drive the spammers away
from Gmail.

My latest anti-spam idea is a SuperReport option. (Kind of like
SpamCop, but not so lazy.) If you click on the SuperReport option,
Gmail would explode the spam and try to analyze it for you to help go
after the spammers more aggressively. Here is one approach to
implementing it:

The first pass analysis would be a low-cost quickie that would also
act like a kind of CAPTCHA. This would just be an automated pass
looking for obvious patterns like email addresses and URLs. The email
would then be exploded and shown to the person making the report (=
the targeted recipient of the spam AKA victim). The thoughtful
responses for the second pass would guide the system in going after
the spammers--making Gmail a *VERY* hostile environment for spammers
to the point that they would stop spamming Gmail.

For example, if the first pass analysis finds an email address in the
header, the exploded options might be "Obvious fake, ignore",
"Plausible fake used to improve delivery", "Apparently valid drop
address for replies", "Possible Joe job", and "Other". (Of course
there should be pop-up explanations for help, which would be easy if
it's done as a radio button. Also, Google always needs to allow for
"Other" because the spammers are so damn innovative. In the "Other"
case, the second pass should call for an explanation of why it is
"Other".)

If the first pass analysis finds a URL, the exploded options should be
things like "Drugs", "Stock scam", "Software piracy", "Loan scam",
"419 scam", "Prostitution", "Fake merchandise", "Reputation theft",
"Possible Joe job", and "Other". I think URLs should include a second
radio button for "Registered Domain" (default), "Redirection",
"Possible redirection", "Dynamic DNS routing", and "Other". (Or
perhaps that would be another second-pass option?)

If the first pass finds an email address in the body, the exploded
options should include things like "Fake opt-out for address
harvester", "419 reply path", "Joe job", and "Other".

At the bottom of the expanded first pass analysis there should be some
general options about the kind of spam and suggested countermeasures,
and the submit SuperReport button. This would trigger the heavier
second pass where Gmail's system would take these detailed results of
the human analysis of the spam and use them to really go after the
spammers in a more serious way. Some of the second pass stuff should
come back to the person who received the spam for confirmation of the
suggested countermeasures.

Going beyond that? I think Gmail should also rate the spam reporters
on their spam-fighting skills, and figure out how smart they are when
they are analyzing the spam. I want to earn a "Spam Fighter First
Class" merit badge!

If you agree with these ideas--or have better ones, I suggest you try
to call them to Google's attention. Google still seems to be an
innovative and responsive company--and they claim they want to fight
evil, too. More so if many people write to them? (I even think they
recently implemented one of my suggestions to improve the Groups...
However, it doesn't matter who gets credit--what matters is destroying
the spammers.)
*ahem* Who owns this patent, exactly? ;)

Re:A suggestion for Gmail spam-fighting (0, Troll)

mcrbids (148650) | more than 6 years ago | (#23007728)

Right.

Because you know SOOOO much more about fighting tens of billions of spam per day than the engineers at Google. And I can be pretty confident in my dismissive contempt because, if you actually were any good at fighting spam, you'd be raking in the big bucks actually doing it instead of mumbling about it on Slashdot.

Maybe you actually do know something about fighting spam. In which case, you really should be registering a domain name (hint: both spamkillz.com and killzpam.com are not taken as I write this) and offering your helpful service to the worldwide community. If you were really any good, and provided a useful service free of spam, you could be a millionaire in 2 or 3 years.

I dunno. Usually, millions of dollars is sufficient motivation that you won't waste valuable knowledge here.

Re:A suggestion for Gmail spam-fighting (0, Redundant)

shanen (462549) | more than 6 years ago | (#23007830)

I'm not suggesting it is an ultimate solution, but I do believe there is a certain amount of wisdom in most crowds of people. The Japanese expression is "San nin wa Monju no chie" (Very loosely translated as 'Three people have the wisdom of Buddha').

More than that, I believe almost any weapon can contribute to making it harder for the spammers to intrude on my life. SpamCop is actually pretty good as far as it goes, but it doesn't go very far. I think their real problem is that they are now owned by Cisco, and Cisco's customers are mostly the backbone people. You can even argue that the backbone people have the ultimate powers over the Internet--but they don't care how much spam they transmit as long as someone is paying them for the packets.

Google is in a different position, however. They really do have a vested interest in making Gmail valuable as an email system--and spam is the #1 liability of email.

Re:A suggestion for Gmail spam-fighting (1)

syzler (748241) | more than 6 years ago | (#23007894)

Freakin' awesome name. Now I just need to think of something funny to use the domain for.

Re:A suggestion for Gmail spam-fighting (1)

maxume (22995) | more than 6 years ago | (#23007856)

An automated system that gathers "Report Spam" reports for a certain message and uses that information to mark that message as spam in other accounts is quick for users, requires minimal ongoing effort from Google, and would work fairly well.

Your idea is expensive for both users(time) and Google(time) and is still playing spammer wack-a-mole, so it won't work a whole lot better than simple filtering.

Re:A suggestion for Gmail spam-fighting (1)

shanen (462549) | more than 6 years ago | (#23007998)

I can't really say much about the Google side of the equation, though I'm sure that they do have some people already working on spam fighting.

However, I certainly can say a lot about the other side of it. You don't want to fight spam, then don't use it. Me? I really hate the spammers and I would gladly do anything I can do that harms them.

You can argue that the harm of a particular piece of spam is very small. Perhaps a second or two if I'm just checking for misfiled ham--but the cumulative effect of *MILLIONS* of spams is enormous.

I also believe it is fungible evil. The same morally bankrupt spammer who will sell you addictive drugs will gladly sell you a subprime mortgage or support human trafficking. Where are the lines?

Re:A suggestion for Gmail spam-fighting (1)

Zwergin (572487) | more than 6 years ago | (#23008100)

This article is on Google Groups backspam and has nothing to do with GMail unless you are trying to implement Spam filtering or PHish filtering into the Google Groups and the PostMaster Responses of Google Groups.

~Z

Re:A suggestion for Gmail spam-fighting (1)

TheSkyIsPurple (901118) | more than 6 years ago | (#23008158)

I'd love to see how my users do with this...

If they're invited to a meeting by their manager and they don't want to deal with it, what do they do? Mark it as spam.
They don't delete it, they don't move it, they don't decline it or accept it... they reported it as spam.

Seriously guys, WTF?

bogus (0)

Anonymous Coward | more than 6 years ago | (#23007498)

If anything gmail accepting email to all addresses prevents spammers from running dictionary attacks against gmail. I'm sure they have some sort of limit to prevent people from sending too many emails from each ip to bogus addresses.

Also with no references listed in the post, its probably someone over reacting about a single mis-addressed bounce they received.

250 Accepted (5, Interesting)

Anonymous Coward | more than 6 years ago | (#23007518)

Yes, mail to an unknown recipient should be rejected with a 550 code during the initial SMTP dialogue. But not only that - lots of people believe that *any* message you don't intend to deliver should be rejected during the SMTP dialogue. The current fashion is to say "250 OK" and then silently delete the message later, which is wrong.

I hate to toot my own horn here, but I wrote tarmail [ablative.org] with this express purpose in mind (among others). GPLed and everything. Messages that you won't accept get rejected during the SMTP dialogue.

If you don't like my MTA, then please feel free to mod this down so that others won't be needlessly bothered. But I really to believe that Tarmail is the right answer to this specific problem. Thank you for your time.

Re:250 Accepted (2, Insightful)

fortunato (106228) | more than 6 years ago | (#23007668)

I'm not trying to belittle your effort in any way but, after reading over your page I have to ask, what exactly does tarmail do that postfix, or any other SMTP server commonly used these days doesn't?

Re:250 Accepted (1)

flyingfsck (986395) | more than 6 years ago | (#23007684)

KISS. Have you read the Postfix manual? Have you tried to make Postfix work with SpamAssassin and ClamAV? Now put that next to the one pager of tarmail.

Re:250 Accepted (5, Interesting)

fortunato (106228) | more than 6 years ago | (#23008066)

Yes actually I have. Postfix is extremely easy to set up with SpamAssassin. It requires cutting and pasting two configuration lines if you can't understand the manual and can do a google search. I suppose you could make the pedantic argument that it's twice as hard as tarmail since tarmail requires one line.

In fact setting up ClamAV and SpamAssassin alone is orders of magnitude more complex.

I might argue that if you have a hard time understanding the postfix manual you have no business running a mail server.

In any case, I wasn't trying to compare, just trying to understand why it was worth the effort of yet another SMTP server.

Re:250 Accepted (2, Interesting)

flyingfsck (986395) | more than 6 years ago | (#23007670)

Neat. It is a pity I wasn't aware of your project earlier. It seems that it will make a straight and simple mail filter to place in front of an existing crappy insecure mail system like Exchange.

Universal filter? (1)

adolf (21054) | more than 6 years ago | (#23007806)

So, Mr. Tarmail, would you care to answer the following question: Can I easily use tarmail in front of my existing postfix/amavis/clamav/f-prot rig? I don't mind processing mail twice (or more, really) -- I've got plenty of CPU to spare. If your MTA is really as slick as you say, I would to make a somewhat easy transition away from my current, complicated arrangement and onto yours.

(I'd research this myself, but I'm on my own time right now and would rather be looking into a strange issue with my car's parking brake than do pro-bono work for the company.)

Re:250 Accepted (5, Interesting)

prockcore (543967) | more than 6 years ago | (#23007810)

The current fashion is to say "250 OK" and then silently delete the message later, which is wrong.


Since SMTP is defective by design, this is an acceptable response. Doing anything else allows spammers to confirm valid accounts using dictionary attacks.

Re:250 Accepted (1)

gweihir (88907) | more than 6 years ago | (#23008082)

I do silent drops for relay requests. I believe that is the right way to deal with them, but not with other messages.

The problem with the initial reject is that it creates the same problem, once removed, when done over an open relay. This way gmail keeps some control. I would be interested to see whether they are actually answering all messages or have some limiting in place. It is also quite possible that they never thought of this issue and their architecture does not allow initial reject at the moment. Possibly no competent IT security people were involved in the design process. As there are not a lot competent IT security people, I don't see any indication of malice here.

Take note of the date and time (1)

BlackSabbath (118110) | more than 6 years ago | (#23007594)

There is a good chance that in the future we will look back at this as the point at which the groupthink regarding Google as evil or not, flipped polarity.

There has been an increase in the level of geek angst about Google (check out the Google App Engine post). I predict its only going to get worse and that by the end of the year most Google stories will be tagged "theNewMicrosoft" or as someone else suggested "theNewEvil". Of course, the fact that a bunch of geeks are no longer enamoured of Google will not halt their continuing traction among non-geeks (much like other companies you could think of).

It will be interesting to contrast how they respond to this over the next year and compare this to, say, Microsoft's PR machine.

Having said all this, I still find gmail and calendar extremely useful, and I wouldn't even think of using a different search engine. For now.

Google Groups must DIE (2, Interesting)

Greg_D (138979) | more than 6 years ago | (#23007606)

Google is one of the biggest culprits in the utter destruction of the highest traffic Usenet discussion newsgroups. The volume of spam that comes from those servers is ridiculous, not to mention all the former AOL idiots that were the scourge of the groups.

Re:Google Groups must DIE (0)

Anonymous Coward | more than 6 years ago | (#23007652)

Usenet is for porn. Please take your 'discussions' elsewhere. thx

Re:Google Groups must DIE (1)

1u3hr (530656) | more than 6 years ago | (#23007826)

Google is one of the biggest culprits in the utter destruction of the highest traffic Usenet discussion newsgroups. The volume of spam that comes from those servers is ridiculous, not to mention all the former AOL idiots that were the scourge of the groups.

And almost as bad, if you use Google Groups to read and post, you see a great swamp of spam -- much of it FROM Google Groups accounts - (EG, take a look at comp.programming [google.com] ) over recent weeks. Many ISPs no longer provide NNTP servers, Google Groups is pretty much the default way to access usenet now. But the interface sucks so much, most egregiously in the inability to filter spam out of either the feed as a whole, or even on an individual (killfile) basis. Every real NNTP service devotes much effort to keeping spam out of their feed, and stopping users from sending it. Google makes no attempt to do either, and not only spoils their own service but poisons the feed for anyone who accepts their messages. I can't even find a way to communicate with Google about this -- their help groups are populated solely by users complaining or advising each other. Most complaints about usenet are met by Google fanboys saying that usenet is dead, get over it.

It looks very like Google is doing the embrace (buy Deja News) extend (promoting their own web-based discussion groups), and now extinguish (by allowing free rein to spammers on usenet).

So personally I now only use Google Groups to search, and have found a free Usenet host and fire up Forte Agent for participating.

Re:Google Groups must DIE (1)

STrinity (723872) | more than 6 years ago | (#23007902)

And on top of that, their Usenet archive has been getting worse and worse ever since they aquired it from DejaNews. Trying to find old messages it a PITA.

Dear Google, (1)

spacefiddle (620205) | more than 6 years ago | (#23007638)

Re: "do no evil."

"All that is required for evil to prevail is for good men to do nothing." -- Edmund Burke

Is this some kind of inevitable, organizational entropy that accumulates as companies become larger and more ambitious - or is that just what growing, influential orgs tell themselves once they realize they like being growing, influential orgs?

Either way, it's disappointing.

Change the slogn (0, Redundant)

pcause (209643) | more than 6 years ago | (#23007660)

I guess the slogan needs to change from "Do no evil" to "Do nothing about the evil".

Not Gmail... (1)

SanityInAnarchy (655584) | more than 6 years ago | (#23007726)

Or at least, it's correctly refusing to accept mail for accounts that don't exist at my domain. (We're using Gmail for corporate email.)

So it's googlegroups.com and blogger.com, but not Gmail? Interesting.

Fishing, maybe... but do spammers really care? (1)

iceT (68610) | more than 6 years ago | (#23007744)

I don't think most spammers are trying to validate addresses. They find some open relay, and then unleash millions of addresses on it. If you don't believe me, create a generic mailbox somewhere. bill@somedomain.com, and see how long it takes to get spam. Especially if there is another mailbox on that domain that is already receiving spam.

Now, I do believe hackers would want to get valid addresses, to get valid login information, or get bank login information, etc.

Spammers are about bulk. They play the odds. Millions sent, hundreds of thousands delivered, thousands read, and hundreds not deleted, and tens invoked.

Simple Solution (0, Troll)

PPH (736903) | more than 6 years ago | (#23007746)

The Google domains are being blacklisted by various e-mail and Usenet admins.

To all of the legitimate Gmail users, sorry about that. We won't be receiving your messages. Perhaps its time to move on and find a better service.

Note to my stockbroker: Sell my Google.

Qmail has done this for years (1)

SailorFrag (231277) | more than 6 years ago | (#23007886)

This sort of behaviour is nothing new. qmail accepts all mail immediately and then if it bounces, generates its own bounce message and sends it back to the envelope sender. Relays, by necessity, do the same thing too. OK, so it would be nice if Google could reject the messages right away, but accusing them of being evil because of this is a huge stretch.

It is not that easy.... (4, Interesting)

gweihir (88907) | more than 6 years ago | (#23007930)

There are three possibilities for email to non-existent addresses: Silent drop, initial bounce and delayed notification. All have problems.

If the sender address is legitimate, but a relay is in the transmission chain, you have only bad choices: Silent drop may cause problems for legitimate emails. Initial bounce causes the observed problem, once removed and with real-time characteristics. The observed delayed notification behavior at least has the advantage that you can control the rate these messages are outgoing. A good strategy would be to intitially send one of these and then accumulate these per sender messages over, say 24h and send only one further notification per day. Incidentially, this strategy is something known to most people that ever implemented automatic notification emails on system failures...

I think there is just no good way to deal with this issuse, as long as open, badly configures relays are around. It is also quite possible that the gmail designers never anticipated this and not are not readily able to respont in an adequate fashion (see the 24h accumulation, e.g.). That would possibly indicate a lack of competent security people involved in the design process. As these people are scarce everywhere, Google will also likely not have enough of them.

On my own mailservers (small), I use silend drop for relay requests (which is definitely a good idea) and "drop into spambox" for unknown destinations. I look over these occasionally, and I have found legitimate email in there.

I do agree that initial bounce sounds like the right strategy, but unfortunately it does have serious problems.

Secondary MX hosts declared bad! Film at 11. (1)

renbear (49318) | more than 6 years ago | (#23008010)

I don't get this article, I really don't. When mail arrives for a domain, and the main mail server for the domain is unreachable, it is supposed to be sent to the lower-priority MX hosts for that domain. They are required to accept it, and forward it to the primary MX for the domain once it becomes available. That's how MX records are supposed to work.

Let me repeat that: they are required to unconditionally accept mail for the domain. So, unless I am missing something here, every single secondary mail host on the Internet should exhibit the behaviour mentioned in the article.

If I'm wrong, or I've missed something, please by all means correct me. But this really seems like a tinfoil-hat tempest in a teapot. Since when is it considered bad form to send a NDR?

Re:Secondary MX hosts declared bad! Film at 11. (2, Informative)

schon (31600) | more than 6 years ago | (#23008056)

Let me repeat that: they are required to unconditionally accept mail for the domain.
Bull. Fucking. Shit.

Please show me the RFC that states you must accept email for addresses that you know are invalid.

There is *NO* such rule. If your backup MX blindly accepts mail for every address, then it is broken. Backup (actually *any*) MX should only accept mail that it knows (or has good reason to assume) it can deliver.

If I'm wrong, or I've missed something, please by all means correct me.
Please consider yourself corrected.

Since when is it considered bad form to send a NDR?
Mu. It's bad form to send an NDR when you shouldn't have accepted the mail in the first place - which is the problem here.

Re:Secondary MX hosts declared bad! Film at 11. (1)

renbear (49318) | more than 6 years ago | (#23008228)

How is my secondary or tertiary MX host supposed to know which addresses I will accept? Mind reading? If it's not accepting *@mydomain.com, then there's a problem. That would be broken.

I'm talking about external, off-site backup MX hosting here. I don't see how they'd have access to a user list, especially if the primary server is down or unreachable.

We block hosts that send backscatter (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23008152)

We run the WPBL [wpbl.info] blocklist, which is a small but relatively well established blocklist service.

Our policy is to treat backscatter as spam, and we do block some hosts due to this backscatter. Google's mail servers are whitelisted at our service, as are other major ISPs, so realistically Google would not get blocked.

However there are many minor mail servers on the internet that constantly spam us with backscatter, and these hosts do get blocked. Some of our members receive thousands of backscatter spam daily. In the last few days in fact there has been a flood like we've never seen before, mailbombing all coming from mail server backscatter.

If you run a mail server, I encourage you to study and understand backscatter. Unless you have put measures in place to avoid being part of the problem, I can virtually guarantee you that you are sending out backscatter. Go right now and run a quick mailq and see if there are a lot of mailer errors in your queue to fake addresses... if there are, you are sending backscatter. It is very common, and very annoying. It is preventable with the right configuration. I have argued this with plenty of admins, but I guarantee you that you can avoid sending backscatter with a proper configuration.

Backup and secondary MX hosts do not have to be vulnerable by design. Solutions: 1) distribute valid recipient lists to MX's and reject mail at the correct transaction, or 2) check and respect SPF for the sender, or 3) run an anti-spam filter, check heuristics, and only send back mailer errors on high confidence ham.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>