One thing your mail-sending system should do

August 12, 2009

If you are for some reason absolutely forced to have a system that will send email to user-entered addresses (given the principles of modern email this is not a good idea, but let's imagine that your management forces you), one of the things that you should absolutely do is make your system so that it won't send mail to certain user names. Spamming people is one thing; spamming abuse, postmaster, noc, security, and any number of other administrative user names is just carelessness.

(You may be able to guess what our postmaster alias got today, although it was probably actual spam faking the 'someone requested you be sent information' bit.)

The case for vacation autoreplies is somewhat weaker, but I think that they should definitely not auto-reply to at least postmaster. If you can manage it, the best thing to do probably is to not auto-reply to any administrative address that is not at your local domain. Your local NOC or security people might care that someone is not reading their email; the odds that a NOC elsewhere cares is, well, relatively low.

(These days, postmaster is not even an administrative address; it is a system address that is not used by humans, much like daemon. If you are lucky, someone reads email sent to it, but no one sensible sends email from it any more. Addresses like noc and security are still real administrative addresses, in that real people may send email from them.)

And on a side note, putting the IP address that submitted the web form into your auto-sent-out email message does not make your email any less spammy or abusive, or cause people to react any better to it. That particular well has been thoroughly poisoned by spammers (who forge this information in the hopes of distracting people). However, if you are going to do this please insert the same information into the message headers in some relatively standard format, like X-Originating-Ip:, so that automated systems can pick it up and do something with it (although you should already be doing obvious things like not allowing SBL-listed IP addresses to send out email).

(As a tip to would-be spammers, try to make your forged IP addresses come from actual allocated IP address space.)

Written on 12 August 2009.
« The somewhat apocryphal history of comments in the Bourne shell
Undo is sometimes not good enough »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Aug 12 01:11:13 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.