Blank emails - RFC2821

Chris Fortune cfortune at telus.net
Sat Jun 12 00:59:46 CEST 2004 

550 rejections for malformed email has been debated for many years, and we are continuing the tradition: "to reject or deliver, that
is the question."  You are right, Tom, that "user not found" is not right, and not supported by the RFC's.   To equivocate, I think
it is fair that a blank email should be issued a "permanent failure" rejection of the correct type.  ISPs can use RFC 550 5.7.1 "Go
Away" to indicate that the ISP is intentionally rejecting the delivery of an email that is thought to be in violation of the list
hygiene policies indicated herein.is intentionally rejecting the delivery of an email that is thought to be in violation of the list
hygiene policies indicated hereinis intentionally rejecting the delivery of an email that is thought to be in violation of the list
hygiene policies indicated hereinis intentionally rejecting the delivery of an email that is thought to be in violation of it's
hygiene policies.


RFC2821:
...
7.7 Scope of Operation of SMTP Servers

   It is a well-established principle that an SMTP server may refuse to
   accept mail for any operational or technical reason that makes sense
   to the site providing the server.  However, cooperation among sites
   and installations makes the Internet possible.  If sites take
   excessive advantage of the right to reject traffic, the ubiquity of
   email availability (one of the strengths of the Internet) will be
   threatened; considerable care should be taken and balance maintained
   if a site decides to be selective about the traffic it will accept
   and process.

   In recent years, use of the relay function through arbitrary sites
   has been used as part of hostile efforts to hide the actual origins
   of mail.  Some sites have decided to limit the use of the relay
   function to known or identifiable sources, and implementations SHOULD
   provide the capability to perform this type of filtering.  When mail
   is rejected for these or other policy reasons, a 550 code SHOULD be
   used in response to EHLO, MAIL, or RCPT as appropriate.
...

http://www.faqs.org/rfcs/rfc2821.html

This points to the need for good Directory Harvest Attack detection software, so that senders can be rejected BEFORE the DATA
command.  Can anybody recommend some?

Has anybody tried Bayesian classification of just the mail header EHLO, MAIL, RCPT, Received:, and IP information?



----- Original Message -----
From: "Tom Anderson" <tanderso at oac-design.com>
To: "bogofilter" <bogofilter at bogofilter.org>
Sent: Friday, June 11, 2004 3:14 PM
Subject: Re: Blank emails


> On Fri, 2004-06-11 at 05:34, Peter Bishop wrote:
> > So I guess the lack of a Subject line might be sufficient to detect
> > such probes.
> > "Proper" emails should have a Subject line - even if the sender
> > forgets to fill it in.
>
> That is by no means a given.  The RFC does not make a subject line
> required... it is explicitely optional.  It is supposed to have either a
> "To" a "CC" or a "BCC" though, so you could reject it on that basis, but
> I'm not even sure that's appropriate.
> http://www.faqs.org/rfcs/rfc2822.html
>
> I would just reject it because it has no body.  I haven't heard of any
> specification that allows you to say that the user doesn't exist based on that though.
>
> Tom
>
>
> _______________________________________________
> Bogofilter mailing list
> Bogofilter at bogofilter.org
> http://www.bogofilter.org/mailman/listinfo/bogofilter
>

More information about the Bogofilter mailing list