Security Incidents mailing list archives
Re: NDR +Hotmail & MSN
From: David Pick <D.M.Pick () qmul ac uk>
Date: Sat, 07 Aug 2004 23:57:20 +0100
Hoover, James A (EIS, Corp) wrote:
I'm troubleshooting a problem which I believe is related to how Hotmail and MSN handle NDR responses. I cannot get the problem resolved through Hotmails normal channels of just shunting customers to a web page to see if they are blacklisted. Can anyone provide a contact at hotmail or MSNs NOC offline of this mailing list? I might just name my 2nd born after anyone who does (too late for the 1st born -but I can consider a name change if necessary:o). Additionally, if anyone knows how Hotmail/MSN/webtv respond to NDRs (that are in response to spam from those domains), I'm very interested.Thanks in advance for any help,
Not at all sure it's much help, but we had a problem recently where some kind soul sent us a whole slew of EMail messages to addresses in our domain with the user names fairly obviously taken from some dictionary (a few were valid, most were not). The "From" addresses were randomly-generated "homail" addresses. We currently operate a system where we try and return a "helpful" message to the sender by looking up half-way plausible but unknown EMail addresses in the site directory and giving enough information to enable the sender to choose a vali address from those which sound like the one they gave. Unfortunatly we accept the message before we do this and send the response as a "bounce report" from us. The result, of course, is a stream of messages to\ various invalid "hotmail" addresses all from us ... so they block us. Following advice from our local CERT, the only action we took was to delete the "bounce" reports that were building up in our queues (because "hotmail" were no longer accepting messages). They started again after about 3 days and by then the messages still in our queues were (mostly) valid ones so we did not get blocked again... As I understand it the actions at "hotmail" are automatic and it is difficult to release such blocks "by hand" early. OTOH only our normal EMail servers were blocked, so if we had really cared very much we could have changed the IP addresses of the servers so the new ones would not have been blocked. Longer term, since this sort of thing will become more common, we'll have to change our EMail system to reject invalid local addresses before accepting the message, which means our "bounce" reports will have to generated by the site tryng to send the message to us and hence *we* won't get blocked. Unfortunatly it also means that the reports will have to be less useful to real people. Sigh. -- David Pick
Current thread:
- NDR +Hotmail & MSN Hoover, James A (EIS, Corp) (Aug 07)
- Re: NDR +Hotmail & MSN David Pick (Aug 09)
- RE: NDR +Hotmail & MSN Tom Vande Stouwe (Aug 09)
- Re: NDR +Hotmail & MSN David Pick (Aug 09)