Tuesday, September 05, 2006
Perhaps the solution is to disable any form of bounce back message
I awoke to a phone call from a frantic Smirk, trying to get one of our new servers under control from a deluge of email (if I sounded angry today Smirk, that's because I got up a bit early, and it took nearly two hours for me to eay my way through lunch, so let me apologize).
The end result will probaby take as long to explain as it took to handle.
The server was drowning in email being sent to nicholas@seaton.biz. We don't host the website for seaton.biz. Nor do we handle email for seaton.biz. In fact, we have nothing, nada, zip, zilch, nothing what so ever to do with seaton.biz, except for a ton of email trying to be delivered to nicholas@seaton.biz from our server.
Got that?
Read that paragraph again.
Good.
Now, why were we trying to send email to nicholas@seaton.biz? Good question. At the time, the MX record for seaton.biz (which contains the address of the server(s) that handle email for seaton.biz) were resolving to 127.0.0.1.
Now, the IP address 127.0.0.1 is a special IP address—it's the “loopback” address; any network traffic sent to IP address 127.0.0.1 is sent to the box doing the sending—the data “loops back.”
So our server sent the email to nicholas@seaton.biz to IP address 127.0.0.1, which, since that's the “loopback” address, was sent right back to our server. Our server accepted the email because, hey, it has the permission to send email to itself. But since we don't host seaton.biz, or in fact, have anything to do with seaton.biz, the email got requeued up for delivery again.
Which begs the question why we were trying to send email to nicholas@seaton.biz in the first place. In checking the email logs, it seems that one “Nicholas,” who has the email address of nicholas@seaton.biz, sent a bunch of spam to all the sites on our server. And in typical spam fasion, it was sent to a whole bunch of addresses, the majority of which don't exist!
That's right. “Nicholas” here was sending email to alice@example.net, bob@example.net, carol@example.net, dave@example.net, etc. etc. with a return email address of nicholas@seaton.biz.
Now, our email server, like every other email server in existance, is configured to send an error notification back to the sender when the email address doesn't exist. So each spam that “Nicholas” sent that didn't get delivered because the destination address didn't exist created a message to nicholas@seaton.biz saying as much.
So that's why we had thousands upon thousands of messages attempting to be delivered to nicholas@seaton.biz, which, because the email server for seaton.biz was set to the “loopback” address, were being delivered right back to our server for yet another attempt at delivery.
Beautiful, huh?
Now, that's not to say that the owners of seaton.biz were the actual spammers—most likely they're not and they're the victim of a “joe job.”
So now the question is: who's doing more damage here? The original spammer “Nicholas?” Or the owners of seaton.biz when they changed their MX records to 127.0.0.1? (not that I can blame them for doing that—it keeps a bunch of useless email from being sent to them and wasting their bandwidth) And what can we do to keep this from happening in the future?
I suppose one way would be to immediately delete any email destined for a site we have nothing to do with, but with an MX record of 127.0.0.1.
Does anyone know how to get sendmail to do that?
You know, Google DOES have an incentive to spam, but not for the reason you think so
I was replying to a thread on Flutterby and about to mention how we here at The Company are this close to just shutting email off and telling customers that they can use Gmail when this weird thought just crossed my mind: Google has an insentive to spam, in order to take over everyone's email!
Now hold on!
Hear me out.
Google started archiving USENET and eventually offered an interface to it. Now, I can tell you that from an ISP point-of-view, USENET sucked. You needed gigs of space, and the server software that supported NNTP was not only a bitch to setup (much like UUCP) but also a bitch to maintain and keep running (it wasn't unusual for the server to collapse under the load of USENET, which meant finding and nuking whole portions of USENET to free up some space) and the users always bitched about how we didn't carry alt.fan.furry.disenchanted.vixen.sex.sex.sex and could we please increase the queue time for alt.sex.pictures.erotica and not delete the group every six hours, even though it could consume 75% of the disk space in six hours?
So Google taking it over meant that ISPs didn't have to anymore (okay, so there are companies that specialize in USENET, like Giganews and PowerUSENET, but free USENET access? It's Google).
And now we get to email.
Google is in a position to take over email much like it's taken over USENET. Take on the hassles (and they have the infrastructure to handle it) and slap on a decent interface (although the Gmail interface is way better than the USENET interface by far), and using the indexing and searching capabilities from the web search engine stuff, and you have a pretty compelling email engine and probably does a killer job on spam (I'm guessing—not using Gmail I can't say one way or the other).
Sure, there are companies now specializing in email (like AuthSMTP and SMTP.com) but for free email access? It's probably Google) but really, Google can make a ton of money on email, if only by selling targetted advertising on email (and hopefully, it's better than it's AdSense program) and until that point, Google can probably make a ton of money by spamming (I'm not saying Google is spamming, but that they have a nice insentive to spam).
Okay, wierd thoughs are over—back to fighting spam.
You know, setting the backup MX to 127.0.0.1 might not be such a bad idea after all …
- From
- Mark Grosberg <XXXXXXXXXXXXXXXXX>
- To
- sean@conman.org
- Subject
- Unung heroes …
- Date
- Tue, 5 Sep 2006 13:28:08 -0400 (EDT)
Hey Sean,
I just read your blog post about
seaton.biz. Good lord! What an ingenous way to XXXX things up! I never thought of setting an MX to localhost. That reminds me of the Apple mail disaster story from the UNIX haters handbook. The bounceback caused more problems. I guess in 20 years the reluctance to update E-mail software is still biting people in the ass. [HTML added —Editor]
I was thinking about this while I was shopping tonight.
The spammers are still sending spam to my MX server and about once an hour or so, my primary email server (which is my main machine here at Casa New Jersey) gets whacked with a ton of spam all at once. All my legitimate email? Comes directly to the primary MX server. Most (if not all) of the spam? Goes through the backup MX server.
Hmmmm …
It's sooooo tempting to set my backup MX record to point to 127.0.0.1.
Soooo tempting.
I think I'll keep my spam for the next 24 hours, and see just how much comes through my backup MX server, and then make that change. It'll be interesting to see how much that effects my spam.
If I break the Internet, blame the spammers.
![[The future's so bright, I gotta wear shades]](https://www.conman.org/people/spc/about/2023/1023.t.jpg "The future's so bright, I gotta wear shades")