Ron Guilmette replied to my post,
| Look, you are trying to make an issue out of a non-issue.
No, I'm not trying to make any issues; I'm trying to understand what you said
you do.
| Notifying the local users at the open relay site is better, because they
| will complain and get action. If you notify the local postmaster, he will
| (jsut as often as not) merely scratch his <<unspecified body part>>, shrug,
| and say to himself ``Yea... I gotten get that fixed. Probably have time
| to work on it in early August.''
And obviously I didn't understand. I had the impression that you send these
notifications in reaction to mail that uses an open relay. Apparently you
do not; rather you send them in reaction to mail that originates on a site
that you know from previous deliveries to have an open relay.
| >The sender already knows that [he or she used an open relay].
When I said that, I thought that you sent the autoresponse when you get mail
that was relayed through the insecure server, so by "the sender" I meant the
party who used that hole. Now, for the first time -- or at least for the
first time that I've understood it -- you're saying you send it to local
users of an insecure server. Probably it's my fault rather than yours,
because David Shaw knew what you meant.
But how can mail that originates on a server tell you whether it runs an open
relay? I'm under the impression that it cannot, and you must know that the
originating site is insecure based on having its IP address on file from
earlier mail that it trustingly relayed but should not have. And *that* is
the type of mail for which I thought you were sending this autoresponse.
| No. 99 times out of 100, an end user at the sending site DOES NOT know
| that his local mail server is an open relay. In fact 90 times out of 100,
| then won't even know what that even means exactly.
Absolutely right. In fact, I'd say that the second sentence's "90" is a
conservative estimate.
| >... and how can you be sure you're getting
| >the real sender and not a victim of forged headers or forged envelopes?
|
| Not my problem man.
Again, I was thinking you sent this autoresponse in reaction to mail that
used the relay; I didn't understand that you sent it in reaction to mail that
originates on sites that had were on record as running open relays. My ques-
tion there applied to what I thought was the case. *Now* I understand that
it is not relevant.
| But other times spammers will try to annoy and harass some anti-spammer,
| e.g. <[EMAIL PROTECTED]> and will send out a big spam run with *this* address
| forged onto all of the envelopes.
Yup, it even happened once to a long-canceled but still forwarded address of
mine.
| Bottom line is that (as I said) you are just nit picking. This is a non-
| issue.
I wasn't nitpicking; I was asking. You read my comments in the context of
what you are actually doing because you thought I knew. In the reference
frame of what I thought you were doing, they're not so nitpicky. There's a
saying that one should never attribute to malice anything that can be ex-
plained by stupidity; please, Ron, don't attribute to nit picking something
that should be explained by thickheadedness.
| >Also, if you aren't telling the operators of the open relay that their relay
| >is open, does anybody tell them?
|
| Presumably, the local lusers will, if not immmediately, then eventually.
Yes, sure (now that I know you're telling local users). When I thought you
were telling it to misusers of the open relay, my question made sense.
| Eventually, they will get tired of rceiving the notifications whenever they
| send outgoing E-mail, and they will then bitch to the local mail system
| admin to fix the problem.
I was in that very position on an ISP where I have since, for other reasons
(they fixed their relay problems), canceled service. You are preaching to
the choir there.
Thanks for clearing up my misunderstanding.
