qmail & X-AntiAbuse Header
Philipp Kolloczek
While looking up ways to deal with spammers and/or users
exceeding their limits I've come across the X-AntiAbuse
headers.
Does some of you utilize those headers already in their
outgoing mails?
Greets
Phil.
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-...@muc.de
Kyle Wheeler
Hash: SHA1
On Tuesday, March 10 at 04:39 PM, quoth Philipp Kolloczek:
> While looking up ways to deal with spammers and/or users exceeding
> their limits I've come across the X-AntiAbuse headers.
>
> Does some of you utilize those headers already in their outgoing
> mails?
If by "X-AntiAbuse headers", you mean the essentially diagnostic
headers that some people add to their email, then no, I don't. They
provide a rather limited benefit.
The idea behind X-AntiAbuse headers is to include additional
diagnostic data in each message to make it easy to track down if it is
ever reported to have been an abusive message. For example:
X-AntiAbuse: This header was added to track abuse, please
include it with any abuse report
X-AntiAbuse: Primary Hostname - xxxxx
X-AntiAbuse: Original Domain - xxxxxx
X-AntiAbuse: Originator/Caller UID/GID - [x x]/[x x]
X-AntiAbuse: Sender Address Domain - xxxxxx
There's no actual *standard* for these headers; they can be whatever
you want them to be. Unfortunately, they're not especially useful. For
one thing, most (if not all) of this type of information should be
included in your Received headers. And in the situations where this
information would be useful, such as receiving an abuse report from
AOL, where you would think you could use that information to track
down exactly where that message came from, AOL (and similar folks) has
a policy of "sanitizing" email messages so that they CANNOT be
tracked. I believe the justification is that they don't want you
taking retaliatory action towards AOL subscribers that complain (or
something like that). In any event, if a company has a policy of
removing all of the useful data from the Received headers, there's no
reason to think that they'd accidentally leave these X-AntiAbuse
headers in (other than incompetence on their part).
Now the question is: how do these headers help combat spammers and/or
users exceeding their limits? They only really help combat spammers if
the spammers are somehow able to relay email through your server (e.g.
if you don't trust your users or if your email server is misconfigured
so that it can be abused for relaying spammer email messages). Because
otherwise, all the information about the message should be available
in your email server's logs---and that's even assuming that people
reporting abuse (such as AOL) will honor your request to include those
headers in their abuse report. As for users who exceed their limits
(by which I assume you mean either sending limits or disk quota), I
have no idea how such headers would help do anything other than
slightly increase the rate at which such users use up their disk quota
(by adding a few bytes to every message).
So I think the fundamental question remains: how would such headers
actually *help* combat spammers and/or users that exceed their limits?
If you're asking "how do I add such headers", there are lots of ways.
One easy way is to use qmail-qfilter, another would be to create some
simple wrapper scripts yourself. Either way works, depending on your
situation and exactly what behavior you want (i.e. do you want the
headers added only to outbound email or to all inbound email?). But I
think the smarter thing to do is to figure out if you really want to
do such a thing.
Personally, I think these headers are rather pointless. But perhaps
you see a use for them that I don't?
If you're asking whether qmail comes with a built-in configuration
toggle to add arbitrary headers, the answer is no.
~Kyle
- --
America is the only country that went from barbarism to decadence
without civilization in between.
-- Oscar Wilde
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!
iEYEARECAAYFAkm2lLoACgkQBkIOoMqOI14b6ACg+KAaoq1hN8x+wJ3B6xMEj62m
SGAAmwYxNRti001EJLUf7ppCWZynkVG9
=TwSC
-----END PGP SIGNATURE-----
Philipp Kolloczek
Thanks, Kyle for your informative answer.
> The idea behind X-AntiAbuse headers is to include additional
> diagnostic data in each message to make it easy to track down if it is
> ever reported to have been an abusive message. For example:
> There's no actual *standard* for these headers; they can be whatever
> you want them to be. Unfortunately, they're not especially useful. For
> Personally, I think these headers are rather pointless. But perhaps
> you see a use for them that I don't?
Well, my question was somehow meant to be multi part and your answer
fit it nearly all. I was wondering if there is some kind of standard
or going on discussion to create one as it is for example on ARF
format. But having noticed that more and more mails especially
from gmail tend to use those headers. But digging the internet hasn't
lend me to related information.
One other part is some kind of product management historic overhead
my company is dealing with, as we have groups of customers using
other authentication schemes than username based smtp-auth. But those
are only usable from inside our own ip range.
So we have a potential group of user mails which may bypass anti
spam mechanisms which hit every mail transmitted to our servers
related to configuration time windows and outbreak characteristics
of new spam types.
But with some costs we can pin down every user using these alternatives
while sending from our network and have our abuse policy hit them.
For those we sometimes receive abuse requests with blanked
headers regarding recipient and sender addresses which makes
it difficult to locate that message in the logs as qmail does not
log message-ids.
One thought about those headers was a combination of having qmail
add additional information to the logs and the mail header for
mails send over our systems for easier review and lower the
review costs.
A second thought was to have them carry an encrypted version of
the users username who send the mail on smtp-auth too. Our
Customers can use the main uid and mail-aliases to collect and
send mail. So potentially he can send mail with an alias
showing up in the received header and then delete the alias.
As I have patched qmail to give back the main uid on
authentication regardless which of its aliases was used that
could be used to set an internal "checksum" in that mail.
I'm with you about the reliability of these headers.
For our honeypots we already include them in the reports send out
if a collected mail has utilized them.
Thanks again for your thoughts and view to those headers.