Its friday. So instead of scaring everybody with an emergency patch you need to apply, let me "editorialize" a bit so you have something to think about over the weekend.
I have long wondered where e-mail is going these days. For me personally, the business value of e-mail has certainly become small. I run various anti-spam techniques, and setup an "important" inbox with e-mail from people I regularly correspond with. But good luck to get my attention if your e-mail ends up in my generic "inbox".
So I just read about DynDNS dropping "Non Delivery Reports". In short, if you are using their service, and your e-mail bounces, you may not hear about it. This is actually something I started doing a long time ago, and it worked fine so far. I don't actually expect my e-mail to go anywhere in the first place. If I don't get a response, I will just try again in a could days, or well, by then another project came up and the original e-mail didn't matter that much anyway.
I am a bit mixed about if I should send NDRs from my mail server or not. The random spammers certainly create a lot of them. But then again, I may as well tell them that 'firstname.lastname@example.org' doesn't exist. Maybe they will stop.
Of course, there are RFCs that regulate these things. But the SMTP RFCs are broken in the sense that they don't have a meaningful way to fight spam. Otherwise, we wouldn't have so much spam.
Other rules I considered or tried in the past:
- greylisting. Works ok, but still.. too much spam. And I lost some important e-mail that way. For example, one of the airlines I fly with wasn't able to send me a receipt.
- only accept PGP signed e-mail. That wouldn't actually do much for spam. They could sign it. But they don't. However, neither do valid e-mail sender.
- turn off my mail server. Wowo... a 90% accurate spam filter. But well, the other 10% is why I bother with e-mail in the first place.
I will setup a poll shortly to collect your opinion about this.
Just a quick update: When I am talking about "turning off NDRs", I am not talking about turning off 550 errors on the SMTP level. That may still be a good idea if you don't mind people enumerating your accounts.
I will be teaching next: Defending Web Applications Security Essentials - SANS Brussels September 2019
Aug 24th 2007
1 decade ago