== One thing your mail-sending system should do

If you are for some reason absolutely forced to have a system that will
send email to user-entered addresses (given [[the principles of modern
email ModernEmail]] this is [[not a good idea ModernAutoresponders]],
but let's imagine that your management forces you), one of the things
that you should absolutely do is make your system so that it won't send
mail to certain user names. Spamming people is one thing; spamming
_abuse_, _postmaster_, _noc_, _security_, and any number of other
administrative user names is just carelessness.

(You may be able to guess what our postmaster alias got today, although
it was probably actual spam faking the 'someone requested you be sent
information' bit.)

The case for vacation autoreplies is somewhat weaker, but I think that
they should definitely not auto-reply to at least _postmaster_. If you
can manage it, the best thing to do probably is to not auto-reply to any
administrative address that is not at your local domain. Your local NOC
or security people might care that someone is not reading their email;
the odds that a NOC elsewhere cares is, well, relatively low.

(These days, _postmaster_ is not even an administrative address; it is
a system address that is not used by humans, much like _daemon_. If you
are lucky, someone reads email sent to it, but no one sensible sends
email from it any more. Addresses like _noc_ and _security_ are still
real administrative addresses, in that real people may send email from
them.)

And on a side note, putting the IP address that submitted the web form
into your auto-sent-out email message does not make your email any less
spammy or abusive, or cause people to react any better to it. That
particular well has been thoroughly poisoned by spammers (who forge this
information in the hopes of distracting people).  However, if you are
going to do this please insert the same information into the message
headers in some relatively standard format, like _X-Originating-Ip:_, so
that automated systems can pick it up and do something with it (although
you should already be doing obvious things like not allowing SBL-listed
IP addresses to send out email).

(As a tip to would-be spammers, try to make your forged IP addresses
come from actual allocated IP address space.)