Return-Path: <cbort@globalhomes.com>
Received: from mail.homes-magazine.com ([66.224.197.156] verified)
  by mail.stalker.com (CommuniGate Pro SMTP 5.1c.4q)
  with ESMTP id 36893599 for SIMS@mail.stalker.com; Wed, 06 Sep 2006 14:45:24 -0700
Received-SPF: none
 receiver=mail.stalker.com; client-ip=66.224.197.156; envelope-from=cbort@globalhomes.com
Received: from [66.224.197.151] (account cbort [66.224.197.151] verified)
  by mail.homes-magazine.com (CommuniGate Pro SMTP 4.2.2)
  with ESMTP id 1720727 for SIMS@mail.stalker.com; Wed, 06 Sep 2006 14:43:44 -0700
Date: Wed,  6 Sep 2006 14:43:43 -0700
From: Christopher Bort <cbort@globalhomes.com>
Subject: Re: spamtrap irregularity?
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Priority: 3
In-Reply-To: <list-36892202@mail.stalker.com>
Message-ID: <r02010500-1047-C4BAC5163DF011DB912E000D93496874@[66.224.197.151]>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
X-Mailer: Mailsmith 2.1.5 (Blindsider)

On 09/06/06 at 12:18, allan wrote:

> > What makes you think that spamtraps are not doing what they are
> > supposed to do? Whether the sending host gets tempbanned or not,
> > messages with spamtrapped recipients are rejected for all
> > recipients. Spamtrap address are not bad addresses (unknown,
> > unroutable, etc.). SIMS does know about them, they're defined in
> > its routing table.
>=20
> In the following example, I sent a single email from my external =20
> account to three addresses on my SIMS server:
> 1. a spamtrap address;
> 2. a non-existent address;
> 3. me.
>=20
> > 14:52:34 1 SMTP-685(smtp109.myISP.com) SPAM? address =20
> > <spam.trap@mydomain.com> is a SpamTrap address
> > 14:52:34 1 SMTP-686(smtp109.myISP.com) SPAM? Recipient =20
> > '<lulu@mydomain.com>' rejected: user unknown
> > 14:52:34 1 SMTP-685(smtp109.myISP.com) SPAM? Mail from =20
> > '<nxnw@myISP.com>' rejected: SpamTrap
> > 14:52:35 2 SMTP-687(smtp109.myISP.com) {S.0000012736} received, =20
> > 1306 bytes
> > 14:52:35 2 SYSTEM [S.0000012736] <CCC57192-D056-4C94-BAB2-=20
> > F986009B1A50@myISP.com> 0+1 From:nxnw@myISP.com
> > 14:52:35 2 SYSTEM(POP) [S.0000012736] delivered to (ME)
>=20
> As you can see, there were three SMTP sessions generated by the =20
> server at my ISP. The email was not delivered to spamtrap and unknown =20
> (obviously). The email made it through to me, despite being preceded, =20
> in the same instant, by an email originating from the same IP to a =20
> spamtrap address.
>=20
> I assume that, had there been a single SMTP session, the spamtrap =20
> would have blocked the email to me.

Of course. I think you may misunderstand spamtraps somewhat. They operate
only on a per connection basis. If a message in a given (single) SMTP
session has multiple RCPT addresses and one or more of those recipients is
a spamtrap address, then SIMS will reject the message for all of that
message's recipients. SIMS does not keep track of IP addresses that send
messages to spamtraps so it does not blacklist IP addresses on the basis
that messages addressed to spamtraps have previously come from them. This
is almost certainly a good thing, as blacklisting IP addresses based on
their sending to spamtraps would be a potential source of false positives.

> In this case, had the spamtrap address not been designated in the =20
> router, it would have, at least, counted toward a tempban. In this =20
> example, the spamtrap did no good, therefore, and had a negative =20
> effect.

Negative how? It seems to me in this case that the spamtrap's effect was
neutral. Keep in mind that spamtraps are only one tool in SIMS' anti-spam
toolbox. They can cover a hole that other tools miss and vice versa.

> Your observation that "SIMS does know about them, they're defined
> in its routing table" is technically true but, surely, one would
> think that sending email to a spamtrap address justifies a tempban
> as much a simply sending to a nonexistent address. More, if  you
> ask me.

Generating temporary blacklistings based on sending to unknown addresses is
different than doing so for sending to spamtrap addresses. Tempbanning for
sending to too many unknown addresses is intended to stop spammers from
tieing up your resources with dictionary harvesting attacks. Most
installations won't have very many spamtrap addresses, so spammers aren't
likely to inundate you with messages addressed to them (at least not like a
dictionary attack will). Dictionary attacks are a potential DoS threat,
spamtraps generally are not.

> I think it is useful for users to recognize this characteristic of =20
> the spamtrap mechanism in SIMS and consider whether it makes sense to =20
> use it.

In your example above, SIMS is behaving as expected and as described in its
documentation.

--=20
Christopher Bort
<cbort@globalhomes.com>