[ietf-dkim] discardable means discardable

John Levine johnl at iecc.com
Sat Feb 23 17:44:49 PST 2008


> The discarding of email is one of the key causes of some significant
> loss of trust in email as a reliable means of communication.

Since I invented the term "discardable" perhaps I should explain why I
mean discardable when I say discardable.

There is a common meme that discarding mail is always bad.  But
generating and delivering bogus mail is just as bad, because nobody
can find the real mail in a mountain of spam.  Every day I get
feedback loop "spam" reports for what is clearly real mail from a real
person sent to a real recipient.  But the recipient's eyes glazed over
at all the spam in the inbox, and they discard the real mail along
with the spam.  Keep that in mind.

I'm not sure how many people here other than Mike Hammer and me have
direct experience running a heavily phished domain, so here's a report
from the trenches.  I run abuse.net, a tiny little domain that manages
a reporting address database.  On a busy day there might be 100
outbound messages with abuse.net return addresses, but due to some
eastern European spammers with a strange sense of humor, every day I
get 400,000 bounces, out of office, and other blowback.  That's the
reality of a phish target -- the fake mail vastly exceeds the real
mail, by orders of magnitude.  I don't know the absolute numbers for
Paypal and the various banks, but I'm confident that they are in the
same situation at even larger scale, way more fake than real mail.

That's why when I say discardable, I really mean it.  When I upgrade
my MTA to sign all of abuse.net's mail, I will really want you to
throw away unsigned mail.  Not reject, not bounce, not send a DSN,
just THROW IT AWAY.  Even if you carefully do your filtering and
reject at SMTP time, enough of the MTAs that see your reject will turn
it into a bounce that I'll still be inundated with junk bounces for
mail I didn't send.  (Hmmn, large numbers of similar messages I didn't
ask for and don't want.  Don't we have a name for that?)

I have some fairly effective heuristics to identify the bogus bounces,
but they're not 100% accurate, which means that with all the noise, I
lose some of my real bounces as well.  Who benefits from that?

If you aren't in this situation, vastly more fake mail than real mail,
discardable doesn't apply to you.  If you see the occasional bounce
blowback, or even the occasional burst of a few hundred blowbacks,
it still doesn't apply to you.  Really.

I entirely agree that for normal mail, you should reject it if you
don't deliver it so that the real person (or perhaps the real ESP) who
sent it can do something useful with the info.  But this situation is
different -- the bad mail is not from real senders, the forged sender
is already acutely aware that there's a lot of forgery, and any
response will just increase the noise.

People do need guidance on discardable, but the guidance is pretty
simple:

A) If you're not sure whether discardable applies to you, it doesn't.

B) If you're fairly sure that discardable applies to you, it still
probably doesn't.

C) If a heavily phished domain asks you to throw away the apparent
forgeries, do the world a favor and take their advice.

R's,
John



More information about the ietf-dkim mailing list