Re: [tlug] [slightly OT] SMTP and the internet, protocols and the internet

[Christian Horn <chorn@example.com>]

On Wed, Jan 13, 2021 at 01:32:45PM +0900, Stephen J. Turnbull wrote:
> Christian Horn writes:
> 
>  > I guess it's just to increase chances of reaching someone in case 
>  > there are complaints about mails from my domain.
> 
> Uuuuuuhhhhh RFC 2142 (https://www.ietf.org/rfc/rfc2142.txt)
> 
> Here is the requirement statement.  Note that "must" is just as
> mandatory as "MUST" -- the convention of capitalizing is just a way to
> make it easy to spot requirements statements.
> 
>    However, if a given service is offerred, then the associated
>    mailbox name(es) must be supported, resulting in delivery to a
>    recipient appropriate for the referenced service or role.
> 
> And the generic "abuse@ADMIN.DOMAIN" mailbox must be supported, while
> supporting these mailboxes addressed to any subdomain that accepts
> mail is recommended.
> 
> So if reporting by email doesn't work, it's reasonable to impose a ban
> on you.  If they want to be dicks about it, they could keep a database
> of HELO domains, and if they see a new one, fire off a mail to
> postmaster.  The content is "just checking, no reply needed" (in the
> old days you could check for valid mailboxes without actually sending
> mail (SMTP VRFY command) but that was abused by spammers so most
> instances ignore it).  If that email is not accepted, assume the site
> is rogue and refuse the email.

Yes, and such verifications are apparently already done by some MTAs
to verify claimed mail senders really exist:
- incoming connection to tcp/25, claims he wants to send an email
  to a local user (MTA easily verifies it exists), and claims
  sender is asd@example.com
- the MTA keeps the incoming tcp/25 channel open, and contacts 
  example.com:25 trying to find out if the user exists
Test for abuse@ would be same.


>  > The "searching on my website for name/address/phone" is done manually,
>  > which is actually surprising: one would suspect more people run MTA
>  > and try to send mails to them without that data in whois.
> 
> I don't know.  Is your host a physical machine you own, or a rental
> server or in the cloud?  In my case it's a physical machine, but if
> they go looking for postmaster@ they'll get my employer (it's
> intercepted at the firewall even though my nominal status is "outside
> the firewall").  Other people will be using rental servers; maybe they
> go after the hosting entity then.  There are probably only a few
> people (ie, < 1 million :-) left with physical hosts.  When I move out
> of the university, I'll surely go to a service such as Linode.

Virtual box.  But yes, if they are unhappy about something
seemingly coming from the IP, and can not reach me (abuse@
or mail from SOA record) they will go to the hoster who owns
the IP.


>  > > Maybe whoever enforces GDPR where you are can help.
>  > 
>  > I think GDPR asked to get the data out of whois, from where it could
>  > be easily gathered.  Just that with their idea of providing it via
>  > website it could be even easier collected.
> 
> Yeah, I was mostly joking.  It just cracks me up when European
> entities demand that you publish your PII where *anybody* can get it.

*adjusting_detector*
.oO(How many Germans does it take to exchange a light bulb?
    One.  Germans are efficient and have no humour..)

(That one was so bad that I did not need the warning - I hope ;)

Chris