CASE: Clueless Anti-Spam Email
Okay, so I made up the acronym -- but I've been dealing with enough of
it lately that I think I need a shorthand for it.
I don't know if any of you have ever been "caught" by a well-
intentioned-but-not-terribly-bright automated anti-spam autoresponder,
but I am now in the process of dealing with the fallout from one of
them. Actually, *another* one of them.
<rant mode=on>
I have a subscriber on one of my mailing lists (we'll call him
"Subscriber A") whose ISP ("ISP A") has a mail server that is somewhat
misconfigured -- it reports the time zone as "-0600 (EST)". (More on
this #later.) Subscriber A posted a message to the list, which was
distributed in the normal course of events to Subscriber B at ISP B.
Now, ISP B has what it thinks is a very clever anti-spam procmail
filter: It runs down through all the well-known tests for spam, and
if a message qualifies as spam, then the filter returns the message to
the sender -- *and* to the abuse@ and postmaster@ addresses at (from
what I can see) *every* domain that it can find in the header of the
message. Which means that ISP A received a "notification" that his
subscriber was supposedly spamming (he wasn't, of course), my hosting
site received notification of a spam that was supposedly sent via one
of my mailing lists, and a third party who was CCed on the original
message *and* his ISP were notified that some unknown person somewhere
was sending spam. Oh, and did I mention that the automated anti-spam
message threatened legal action? Yeah, that's really helping to stir
things up. So now everyone *and* his ISP have been threatened with
legal action because someone's mail server is misconfigured.
No, stay there -- it gets even better.
Now, Subscriber A is completely perplexed about this, and understandably
so -- so he fires off a "WTF?" back to the sender of the anti-spam
message, ISP B. Very non-threatening, non-flaming; just requesting
some clarification so could de-confuse himself. And he did what any
heads-up subscriber wouold do in that situation -- he CCed the list
owner.
So, Subscriber A's WTF message *again* trips ISP B's spam filters, and
here we go all over again, except that this time I'm being copied on
the anti-spam message, and so is my ISP. (Luckily, my ISP knows me well
enough to not go into adrenaline overdrive over something like this.)
It is being sorted out, but what really irks me is that ISP B is
refusing to admit that he has done anything wrong or that his anti-spam
filter *really* needs to have a human in the loop before any threatening
messages get sent out. He's blaming everything on ISP A's mail server
(more on that #later), and congratulating himself for having such a
clever anti-spam setup. Meanwhile, I just want to smack this guy upside
his procmail filter.
<a name="later"> Okay, the fact that ISP A's mail server is misconfigured
is bad, but is also entirely beside the point, as is the fact that the
use of time zone names ("EST", etc.) instead of numeric offsets has been
deprecated in RFC1123, and also the possible explanations why ISP A's
MTA is reporting the time zone (not to mention an invalid combination of
GMT offset and time zone identifier) in that fashion. ISP A has already
responded by fixing the problem. These things happen, but should not
result in the kind of situation that we have on our hands at the moment.
</later>
What remains is the smoothing of all the ruffled feathers -- a task that,
once again, I get to have the pleasure of handling, since ISP B refuses
to take responsibility and notify the affected parties that it was just
a false alarm and everyone can go home and get back to work.
The last time I went through the nearly EXACT situation as this one, it
took three days for everyone's blood pressure to return to normal --
and ISP B ended up blocking all mail from me to Subscriber B, and I had
to route my messages through a different listmom in order to communicate
with my own subscriber. (The good news is that this action on the part
of ISP B pissed off Subscriber B to the point that he switched ISPs. A
token move that probably was barely noticed by the ISP, but was still
gratifying to me.)
I haven't yet had my mail blocked by ISP B in this case, but he's about
as bright as the last one, so it's probably imminent. And I'm wondering
how many false alarms it will take for my ISP to drop me a note and ask
WTF is going on over there. Did I mention that this is the third such
incident in the recent past? Not all of them were misconfigured MTAs,
but the end results have been nearly identical. Someone must have posted
a notify-the-world procmail script somewhere prominent on a web site
for clue-free ISPs. Of course, the problem isn't procmail, but procmail
in the hands of idiots. Guns don't kill people, people kill people.
And while I'm <rant>ing about brain-dead anti-spam filters, I'll throw
this one into the mix: I recently went several rounds with a co-listmom's
ISP. The listmom was unable to receive bounces and certain types of list
server notifications for MONTHS -- they suddenly just dried up one day.
While not receiving bounces is not necessarily a terrible thing <g>, the
server in this case is Lyris, which handles bounces internally -- so if
we're receiving bounces, it's for a specific purpose. (Every once in a
while, a subscriber runs into problems with mail delivery, so we have to
bite the bullet and route the bounces to ourselves so we can actually
*see* what's going on. It's often the only way to deal with an ISP who's
claiming that the problem isn't at *his* end. Uh-huh.) So, in some cases,
we actually *intend* and *need* to receive bounces.
Well, after the listmom contacted his ISP, it turned out that the ISP
had come up with a really nifty way of blocking spam -- simply refuse any
message that has a null "mail from"! Pretty slick, huh? I tried throwing
RFC821 at the ISP, but to no avail. That was several months ago, and the
ISP has only recently realized the errors of his ways, and has removed
the null return-path block. Chalk one up for the good guys; only took a
few months of constant hounding.
</rant>
Well, that's about it. Thanks, I feel better now; I guess I can go back
to smoothing the feathers in this latest mess without going unnecessarily
ballistic on people who really genuinely deserve it.
Meanwhile, what we really need an I.Q. test for ISPs ...
__________________________________________________________________________
Vince Sabio Boy & His Sabre: <http://www.insane.net/tsc/Vince/>
[EMAIL PROTECTED] Stop Internet Spam! <http://www.cauce.org/>
