North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: a note to those who would automate their rejection notices

  • From: jlewis
  • Date: Sat Dec 27 23:40:33 2003

On Sat, 27 Dec 2003, Paul Vixie wrote:

> today AOL thoughtfully supplied the following to [email protected]:

Did they really?

>   [email protected]
>     SMTP error from remote mailer after initial connection:
>     host []:
>     554-(RLY:B1)  The information presently available to AOL indicates this
>     554-server is generating high volumes of member complaints from AOL's
>     554-member base.  Based on AOL's Unsolicited Bulk E-mail policy at
>     554- AOL may not accept further
>     554-e-mail transactions from this server or domain.  For more information,
>     554 please visit
> this was in response to what the e-mail community refers to as a "trivial
> forgery", whose salient headers were:
>    Return-path: <[email protected]>
>    Received: from
> 		([]
> 	by with esmtp (Exim 3.35 #1)
> 	id 1AQIw9-0000bF-00; Sun, 30 Nov 2003 05:11:58 +0100
>    Message-ID: <[email protected]>
>    From: "Ediva Clapp" <[email protected]>

You didn't include much of the bounce, but from what you did include, I'm 
guessing this is similar to lots of spam bounces I've gotten. originated the message (most likely via 
a trojan spam proxy/emitter thats infected it) and sent the spam through a 
local mail server, is actually the system 
blacklisted by AOL.  When it failed to deliver this spam to AOL, it tried 
returning it to the "sender", which likely landed the message in a 
catch-all email box at

Assuming that's what happened, this isn't AOL's fault at all.

> them was "must scale indefinitely".  a simple application of this principle
> toward anti-virus and anti-spam automated rejection notices is to ignore
> the envelope and ignore the header and just focus on the peer IP address:
>    To: [email protected][]

That too will bounce.  I haven't checked, but I'd bet ( is an end-user running 
some flavor of Windows and does not run an SMTPd.

> "don't make me stop this car, kids."
> ...and to all a good night.

When did this become SPAM-L?  This sort of thing's been talked about on 
several of the "other spam lists" for a few weeks since some spamware app 
started using "local MX's" as relays, likely to circumvent DNSBLs and 
outbound 25/tcp blocking.
We're all going to have to come up with patches or hacks to "rate-limit" 
outgoing email by originating IP, or things are really going to get ugly 
as ISPs start blacklisting each other's mail servers to stop this sort of 
relayed spam.
 Jon Lewis *[email protected]*|  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |  
_________ for PGP public key_________