[sf-lug] SMTP - spam - accept and discard?

[Rick Moen]

Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):

> One line of argument is that by accepting all - and discarding rather
> than bouncing or rejecting spam - most notably targeted to invalid
> e-mail addresses, by accepting - rather than rejecting - one then
> doesn't tell the spammers which e-mail addresses are invalid - and
> thus also - by not rejecting others, let them then also know which
> e-mail addresses are valid.  It's a semi-weak argument, as it has its
> various downsides too.

Among them is the fact that anyone who thinks valid e-mail addresses
can be hidden from spammers for more than trivial periods of time is
kidding himself/herself.  This has long been established by (e.g.) the
prevalence of MS-Windows worms that harvest addresses from desktop
users' Web browser caches and read address books via MAPI calls -- among
other methods.

I personally refuse to hide from spammers, and haven't for over a decade
taken seriously any tactics that rely on doing so.  There was a time
when that argument seemed to make sense, but it hasn't for a very long
time.

> Another scenario where "accept all" (and discard spam) is more legitimate,
> is in many types of more security hardened environments.

True.  The absolute minimal security exposure profile entails having
absolutely minimal SMTP code answering the socket and accepting mail,
eschewing all attempt at intelligent mail handling during SMTP time.

You can often, there and elsewhere, harden security-sensitive software
by making it dumber (more specifically, reducing functionality and code
complexity).  What you lose, of course, is functionality.

It should be stressed, in any event, that "complex MTA logic" hooked
into the SMTP conversation does not _need_ to run with high privilege --
and shouldn't.  For example, my setup with the Exim MTA runs with system
privilege only an extremely small amount of code that then drops
privilege, and there's a call to SpamAssassin spamd to measure spamicity
of incoming mail during the ongoing incoming SMTP session, but the spamd
instances don't run privileged, either.

> For better, or worse, some/many quite large providers use accept and discard
> on invalid e-mail addresses.

For better or worse, some/many quite large providers have objectively
_abysmal_ policies and practices.  I need only point out, for example,
that a large fraction of them still run BIND8, which is horrendously
vulnerable to cache poisoning among other attack vectors, and makes a
large portion of the world's DNS susceptible to fraud.  If you haven't
yet read Dan Kaminsky's analyses of this problem, you should.

On the evidence, the large providers do these sorts of things because
they're cheap, lazy, and inertia-driven, not because they're smart.