Somehow, yesterday I experienced a new form of email nonsense.

ryanc@infosec.exchange

@tychotithonus @Sempf if they can't be bothered to decide whether they're going to accept it at that time

ryanc@infosec.exchange

@tychotithonus @Sempf hold the connection while validating at the next hop

(this is a bit ideological)

ryanc@infosec.exchange

@tychotithonus @Sempf being less extreme, it's pretty safe to send a bounce if SPF and DKIM validate

tychotithonus@infosec.exchange

@ryanc @Sempf I mean, I get that, but in the meantime the blowback still hits the innocent non-sender. As a troubleshooter, I 100% hated silent discard, but as a spam fighter from back in the day, never doing that produced a whole bunch of busy work and harm that was impossible to work around otherwise. (Rejecting early in the connection was of course ideal!). But I've been out of this game for more than a decade ...

tychotithonus@infosec.exchange

@ryanc @Sempf Yeah, that's definitely an angle that wasn't as available to me back then. If past me it was working this, I would 100% be looking for a milter that did that!

sempf@infosec.exchange

@tychotithonus @ryanc I have learned more about SMTP in this conversation then I have in 25 years of fucking with it.

ryanc@infosec.exchange

@tychotithonus @Sempf the cursed thing here is that the sending side is silently discarding it

ryanc@infosec.exchange

@Sempf @tychotithonus do you need a hug?

sempf@infosec.exchange

@ryanc @tychotithonus No, just a brain.

erik@mastodon.infrageeks.social

@Sempf @tychotithonus @ryanc is that what happens when you hit the age of the port number? Remind me to die before I hit 80 years old...

ryanc@infosec.exchange

@erik @Sempf @tychotithonus I've forgotten more about HTTP than most people will ever know...

sempf@infosec.exchange

@ryanc @erik @tychotithonus I was gonna say, I spend most of my time at 443 so I'm probably ok there.

drscriptt@oldbytes.space

@ryanc @tychotithonus @Sempf well it might, but it won’t be your server sending the back scatter.

The server you refused to accept the message from us coulpable for the backscatter. Maybe it shouldn’t have accepted the message in the first place.

drscriptt@oldbytes.space

@ryanc ask them for a PCAP.

If they successfully sent and you never got as much as a SYN, then someone’s got a monkey in the middle.

Are any ISPs intercepting outbound port 25 instead of filtering it?

tychotithonus@infosec.exchange

@drscriptt

I'm interested in minimizing ecosystem harm / impact, even if I'm not the direct / attributable source. In the worst case, if I know that an upstream hop is going to generate backscatter if I reject in my DATA phase, and I know with high confidence that the content is spam, and I know that that upstream hop is not likely to change their ways any time soon ... it's a net lessening of ecosystem harm if I silently discard, rather than indirectly "trigger" predictable backscatter.

Yes, I know this is idealistic.

@ryanc @Sempf

ryanc@infosec.exchange

@tychotithonus @drscriptt @Sempf I think we can agree this is a case of choosing amongst bad options, but don't think either of us are going to change our mind about which is worse.

Besides, I'm the one who patched their mail server to allow for customized fake rejects.

ryanc@infosec.exchange

@drscriptt they're not going to have a pcap, and I have mine as I said

cr0w@infosec.exchange

@ryanc @tychotithonus @drscriptt @Sempf

Me: I run my own mail server. I know what I'm doing.

Me later: reads this thread

Me now: Okay, y'all are awesome and I'm a noob again. And that's so cool.

sempf@infosec.exchange

@cR0w @ryanc @tychotithonus @drscriptt Exactly this.

tychotithonus@infosec.exchange

@ryanc
I think we agree more than we disagree! Especially when it it is probably better for the ecosystem for the systems causing harm to be the explicit source of that harm, so that the ecosystem will start to respond to it appropriately. So I'm basically arguing myself out of silent discard even in my idealistic case!
@drscriptt @Sempf