Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NDR +Hotmail & MSN

From: David Pick <D.M.Pick () qmul ac uk>
Date: Sat, 07 Aug 2004 23:57:20 +0100
Hoover, James A (EIS, Corp) wrote:

I'm troubleshooting a problem which I believe is related to how Hotmail and
MSN handle NDR responses.  I cannot get the problem resolved through
Hotmails normal channels of just shunting customers to a web page to see if
they are blacklisted.  Can anyone provide a contact at hotmail or MSNs NOC
offline of this mailing list?  I might just name my 2nd born after anyone
who does (too late for the 1st born -but I can consider a name change if
necessary:o).  Additionally, if anyone knows how Hotmail/MSN/webtv respond
to NDRs (that are in response to spam from those domains), I'm very
interested.
Thanks in advance for any help, 

Not at all sure it's much help, but we had a problem recently where
some kind soul sent us a whole slew of EMail messages to addresses
in our domain with the user names fairly obviously taken from some
dictionary (a few were valid, most were not). The "From" addresses
were randomly-generated "homail" addresses. We currently operate a
system where we try and return a "helpful" message to the sender
by looking up half-way plausible but unknown EMail addresses in
the site directory and giving enough information to enable the
sender to choose a vali address from those which sound like the
one they gave. Unfortunatly we accept the message before we do
this and send the response as a "bounce report" from us. The result,
of course, is a stream of messages to\ various invalid "hotmail"
addresses all from us ... so they block us.

Following advice from our local CERT, the only action we took
was to delete the "bounce" reports that were building up in our
queues (because "hotmail" were no longer accepting messages).
They started again after about 3 days and by then the messages
still in our queues were (mostly) valid ones so we did not get
blocked again...

As I understand it the actions at "hotmail" are automatic and
it is difficult to release such blocks "by hand" early. OTOH
only our normal EMail servers were blocked, so if we had really
cared very much we could have changed the IP addresses of the
servers so the new ones would not have been blocked.

Longer term, since this sort of thing will become more common,
we'll have to change our EMail system to reject invalid local
addresses before accepting the message, which means our "bounce"
reports will have to generated by the site tryng to send the
message to us and hence *we* won't get blocked. Unfortunatly
it also means that the reports will have to be less useful to
real people. Sigh.

--
        David Pick
Previous By Date Next
Previous By Thread Next

Current thread: