Blowback 1
So, with a bit more investigation, it is now clear what exactly was going on with my mail server. It appears that some spammer has decided to send out massive numbers of spams with a forged return path, and said forgery pointed to jslopez@xman.org. As per usual, there are still massive numbers of domains that will bounce such messages, and on top of that there are mlm’s and vacation programs that automatically respond to the return path of anything they get, so my MTA has been consumed by the blowblack/backscatter.
Awesome.
I did some more tweaking, and concluded that my best moves were the following tweaks:
- Reduce the # of slave processes for the MTA to 2.
- Set up an explicit access rule for jslopez@xman.org that causes an immediate rejection and a nice little “don’t be an idiot and bounce forged return path’s” public service message.
- Get the accept queue depth as deep as possible for the slave processes.
- Reject any messages without a proper e-mail address in the FROM: envelope.
The killer solution was Google Apps for Domains though. I have registered for the service, updated my MX records, and once that information propagates through the Internets all my domain’s e-mail will get routed to Gmail, which has exactly one registered account: jslopez@xman.org. Gmail is configured to route any e-mails to an unknown address to my mail server. The net effect is that all this backscatter will get swallowed by the Gmail black hole, and everything else will remain outside the event horizon and hopefully get delivered to my mail server at something approaching the speed of light.
The other lesson learned from this is that openldap is slow, so one shouldn’t using it for accessing one’s MTA configuration. I intend to set up a cron job that will periodically dump the contents of LDAP in to files and then have postfix just read those files directly. This should prove to be infinitely more scalable and efficient, at the cost of updates being somewhat delayed.
Know Your E-mail Address
I’ve been on the Internet a long time. As a consequence, I have some very short (i.e. not chris13123124@yahoo.com) e-mail addresses on places like Yahoo Mail and Gmail (well, in the case of Gmail it’s because I have friends who worked there when Gmail came online for the first time). Some people think this is cool. In practice, it turns out to be a PITA, by function of incredibly stupid people who don’t know their own e-mail address. I’m sorry folks, but it is the 21st century. If you don’t know what your e-mail address is you shouldn’t be on the Internet. More importantly, you shouldn’t be guessing by putting in my e-mail address instead.
This phenomenon seems to have really become a lot worse in the last couple of years, probably because e-mail has become so mainstream that friends and company use your e-mail address more than they use your phone number. I have tried, repeatedly, to send people e-mails clarifying that someone has given them the wrong address, but more often than not, it simply results in more confusion.
Over the last couple of years, I have been signed up for Kodak’s photo repository (which apparently fails to collect any contact information beyond an e-mail address and fails to validate that e-mail address before letting you upload pictures). I’ve been able to see some lovely wedding photos and what I suspect are some honeymoon photos (I didn’t want to see that!) that were not intended for the general public. I’ve been signed up for free Microsoft Office trials. I’ve been put on to mailing lists for military personnel in Georgia. I’ve been contacted by domain registrars about configuration updates to various domain names. I’ve been put on three different PTA mail lists. I’ve received shipping notices and order invoices from Dell and HP, going to people all over the US as well as a Christian missionary group in Texas that proselytizes by teaching English. I’ve received multiple correspondences about wedding and honeymoon plans (I’m guessing related to the photos) from planners, hotels, restaurants, and… Victoria’s Secret (really, I didn’t want to know). I’ve received real billing notices from the BofA, with lots of account information included. The worst part is that I’ve been put on so many spammer’s lists it is insane (the overlap between people who don’t know their own e-mail address and people who don’t recognize phishing scams is… significant).
I have tried to be nice about this. I’ve carefully unsubscribed or disabled most of the stuff set up with my e-mail address. I’ve tried to contact the senders and recipients of e-mails to let them know that this is the wrong e-mail address. I’ve tried looking up whatever contact info is available to track people down. I haven’t actually sent snail mail, but that is what I’m going to do next.
No more Mr. Nice Guy. I’m going to go public. If you still don’t get it, I’m going to start signing people up for obnoxious services as retribution. Today’s latest is:
Carolyn Smith 34991 Hamilton Ct. Farmington Hills MI 48334
Carolyn claims to work for a company called ACN. I tried looking up a phone number for that address, but apparently there is none. I’ll be sending snail mail, but I suspect it is going to take weeks for that to work. Carolyn, your e-mail address on gmail is NOT what you think it is. If you’ve been wondering why you haven’t obtained your free Microsoft Office trials as well as all the Microsoft junk mail you’ve signed up for, this is the reason. I’ve disabled the subscription multiple times, but you seem to keep signing me up. Please, take a look at what your e-mail address is. If anyone reads this thinks they know Carolyn, please contact her and tell her to send an e-mail to what she thinks is her e-mail address. Then maybe we can sort this all out.
And finally, as a PSA for all those folks managing mail lists and using e-mail addresses for usernames. Please, do yourself and your customers a favour and verify e-mail addresses before signing them up.