One thing your mail-sending system should do

August 12, 2009

If you are for some reason absolutely forced to have a system that will send email to user-entered addresses (given the principles of modern email this is not a good idea, but let's imagine that your management forces you), one of the things that you should absolutely do is make your system so that it won't send mail to certain user names. Spamming people is one thing; spamming abuse, postmaster, noc, security, and any number of other administrative user names is just carelessness.

(You may be able to guess what our postmaster alias got today, although it was probably actual spam faking the 'someone requested you be sent information' bit.)

The case for vacation autoreplies is somewhat weaker, but I think that they should definitely not auto-reply to at least postmaster. If you can manage it, the best thing to do probably is to not auto-reply to any administrative address that is not at your local domain. Your local NOC or security people might care that someone is not reading their email; the odds that a NOC elsewhere cares is, well, relatively low.

(These days, postmaster is not even an administrative address; it is a system address that is not used by humans, much like daemon. If you are lucky, someone reads email sent to it, but no one sensible sends email from it any more. Addresses like noc and security are still real administrative addresses, in that real people may send email from them.)

And on a side note, putting the IP address that submitted the web form into your auto-sent-out email message does not make your email any less spammy or abusive, or cause people to react any better to it. That particular well has been thoroughly poisoned by spammers (who forge this information in the hopes of distracting people). However, if you are going to do this please insert the same information into the message headers in some relatively standard format, like X-Originating-Ip:, so that automated systems can pick it up and do something with it (although you should already be doing obvious things like not allowing SBL-listed IP addresses to send out email).

(As a tip to would-be spammers, try to make your forged IP addresses come from actual allocated IP address space.)


Comments on this page:

From 195.26.247.140 at 2009-08-12 05:30:42:

What about sending registration emails? The user has to put in an email address there, and this is the first contact you have with them. Of course, if it gets ignored then they get removed from any future mailings (their registration is unconfirmed and so invalid for sending them more emails), but the first mail needs to be sent for them to be able to confirm the address is valid and what they wanted. (it's removed after a number of days of unconfirmedness)

What alternatives to email exist for this kind of registration-confirmation?

By cks at 2009-08-12 23:13:56:

Whoops, in retrospect I see that I was really unclear in my entry. The simple answer is that I wasn't talking about registration confirmation emails, but about all of the other sorts of automatically sent emails that people think are a good idea. For example, 'enter someone's email address here to have us email them marketing materials', or 'invite your friend (just give us their email address)', or the like.

The bad thing is emailing random person B on person A's say-so, and registration email is at least theoretically not this. One might argue that 'email me information about your company' is not either, but it doesn't work that way in practice.

Written on 12 August 2009.
« The somewhat apocryphal history of comments in the Bourne shell
Undo is sometimes not good enough »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Aug 12 01:11:13 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.