'[NTSEC] Bounce test... READ but DO NOT reply to this message!!!'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntsecurity
Subject:    [NTSEC] Bounce test...  READ but DO NOT reply to this message!!!
From:       Bounce Test - Do Not Reply <bounce () iss ! net>
Date:       1997-08-31 16:30:10
[Download RAW message or body]

	#### WARNING #### DO NOT REPLY TO THIS MESSAGE ####

	The return address on this message goes to a program which will
take the responding addresses from any list it is subscribed to at
iss.net!  If you have a vacation program responding to your mail - YOU ARE
TOAST and will have to resubscribe.

	PLEASE! - DO read this message.  Address comments, recommendations,
or compaints to me at mhw@iss.net.  There are some particular warnings at
the bottom.  Even if you skip the explanations in the middle, please read
the remarks about mail exploders and those about Microsoft Exchange at
the end!  This message is somewhat longish so if you don't want to read
a bunch of administrative crap, just skip down to the line identifying
important remarks and ignore the rest.  Future messages of this type will
be MUCH shorter!  :-)

	From a recent message from aleph1@dfw.net its become apparent
that there is a whole class of mail failures I have not been checking
for and cleaning up.  This message is round 1 to attempt to address
these problems.  Rounds 2 and 3 are in the works and more announcements
will follow.

	My deepest thanks and appreciation to ALEPH1 for bringing this to
my attention.  Somehow I just overlook this.  This was my fault.  I rarely
post to this list (and I'm sure that most of you hope I post as infrequently
as possible since it's almost always administrative).  The bounces that I
had gotten back simply got lost in the noise of the hundreds of messages I
get each day.

	Problems are that different mail packages have been doing different
things when reporting an error.  Most send errors back to the "Sender:"
which is typically the list owner (owner-ntsecurity in this case).  Some
send them back to other addresses at this site.  These I manage to catch
and in most cases I can clean up and torch the offending party.  But, of
course, these are not the ones you, as subscribers ever see.

	Some mailers attempt to send errors back to the list where I have a
variety of filters in place to intercept and process those.  There have been
some notable recent failures which have slipped by those filters and I've had
to modify the filters were possible.  In a couple of recent cases I couldn't
filter them out.  I had to block their site (what I refer to as a hostile site
list).  These, you will occasionally see until I have a change to act
on the problem.  This can take a day or two and messages in the queue may
take a couple of days to tickle out.

	The third category is something I had not thought of before and
what I am trying to address with this message.  Some mailers are aparently
sending error messages back to the "From:" or "Reply-To:" address and
are not coming back here at all.  The only way for me to detect and
eliminate these addresses is by a periodic posting to the list and
capturing the return messsages.  This is the first, but will NOT be the
last of such messages.  I will attempt to make them as infrequent and
unobtrusive as possible.

	This message is being posted from "bounce@iss.net" an address
specifically set up to catch bounce messages to this message.  There is
certainly a potential for abuse of this address and I will be attempting
to watch it closely.

	==== Important remarks from here down ==== Please read ====

	Messages coming into bounce@iss.net will result in the removal of
the offending address from all lists at iss.net!

	This is a LOT more complicated than it sounds.  Not all mailers
properly identify the address that they are bouncing mail for.  Most
particularly, Microsoft Exchange is probably the worst.  E-Mail bouncing
back from Microsoft Exchange systems are almost unidentifiable.  I am
going to be attempting to address those problems in rounds 2 and 3 where
individually addressed messages will be used.

	I also have the problem of mail exploders.  At this time there appear
to be a couple of hundred mail exploders subscribed to the list.  The mail
exploders account for well over half of the "I can't _unsubscribe_ from this
list" complaints.  Reason is simple.  They are not subscribed to this list.
They are subscribed to some other list that is remailing this list.  One
person was loudly complaining on the list that majordomo was broken
and it kept saying he wasn't subscribed to the list.  A simple examination
of one of the E-Mail messages he received showed that he was subscribed to
"hackers_lair" and that they were remailing.  I sent him to deal with
them and after a letter of appreciation back from him, none of us have
heard from him since.

	Here is MY problem...  If I get bounce messages back which identify
a Microsoft Exchange server or a mail exploder, what do I do?  If I can NOT
identify the address which is failing, I can't make a deterministic choice
as to who to torch.  Individually addressed messages will help somewhat.
In those cases where I can not determine the addressee that is failing,
I will attempt to warn all of the addresses at that site and then torch
all addresses in that domain, any subdomains, and (if a >=3rd level subdomain)
it's parent domain!  Most of the unrecognizable bounces come from a system
in a subdomain of the actual E-Mail domain, so I will take out one level up
in parent domains as well (as long as it leaves me with something.com or such).
Imagine what will happen if an MS Exchange server at silly.microsoft.com
starts bouncing mail back here and I can't find anyone AT silly.microsoft.com
subscribed any of the lists...  :-)

	Mail exploders are a real complication but in the end will be treated
the same way.  If the exploder managers can not clean up their lists on their
own, I will torch them lock, stock, and barrel.  I will send ONE warning
to the exploder and then torch it.

	I will make NO attempt to allow for or filter out vacation programs.
If you are going to use one, you better figure out how to use it right.
Set a filter rule to NOT respond to any messages with a "Sender:" of
"ntsecurity-owner@iss.net" and you will be safe.  Don't and you are off
on first offense.

	These more darconian measures are intended for rounds 2 and 3 to come.
I'm holding off on that for comments and responses from the subscribers.
I'm also going to wait and see how effective this round is before implimenting
the next steps.  The further I have to take this, the more likely that
innocent bystanders will be caught up as collateral damage or someone will
discover a way to subvert or abuse this.

	I will try to, when possible, send out a single notice to addresses
which I _unsubscribe_ from this list.  But I make no guarentees of that
though...

	Thank you for your patience and forbearance.

	Regards,
	Mike
--
Michael H. Warfield                 | Voice: (770)395-0150
Senior Engineer                     | Fax:   (770)395-1972
Internet Security Systems, Inc.     | E-Mail:  mhw@iss.net  mhw@wittsend.com
41 Perimeter Center East, Suite 660 | http://www.iss.net/
Atlanta, GA 30328                   | http://www.wittsend.com/mhw/
                PGP Key: 0xDF1DD471   http://www.wittsend.com/mhw/pubkey.txt

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic