One document matched: draft-ietf-sieve-refuse-reject-07.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt'?>
<?rfc toc="yes"?>
<?rfc strict="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<rfc category="std" docName="draft-ietf-sieve-refuse-reject-07" ipr="full3978" updates="3028">
<front>
<title abbrev="Sieve Extension: Reject">
Sieve Email Filtering: Reject and Extended Reject Extensions
</title>
<author fullname="Aaron Stone" initials="A" surname="Stone" role="editor">
<organization>Hydric Acid</organization>
<address>
<postal>
<street>260 El Verano Ave</street>
<city>Palo Alto</city>
<region>CA</region>
<code>94306</code>
<country>USA</country>
</postal>
<email>aaron@serendipity.palo-alto.ca.us</email>
</address>
</author>
<author fullname="Matthew Elvey">
<organization abbrev=" ">The Elvey Partnership, LLC</organization>
<address>
<postal>
<street>1819 Polk Street, Suite 133</street>
<city>San Francisco</city>
<region>CA</region>
<code>94109</code>
<country>USA</country>
</postal>
<email>sieve3@matthew.elvey.com</email>
</address>
</author>
<author fullname="Alexey Melnikov">
<organization abbrev=" ">Isode Limited</organization>
<address>
<postal>
<street>5 Castle Business Village</street>
<street>36 Station Road</street>
<city>Hampton</city>
<region>Middlesex</region>
<code>TW12 2BX</code>
<country>UK</country>
</postal>
<email>Alexey.Melnikov@isode.com</email>
</address>
</author>
<date day="26" month="May" year="2008" />
<area>Applications</area>
<workgroup>Sieve Working Group</workgroup>
<keyword>sieve refuse reject ereject joe-job smtp lmtp spam</keyword>
<abstract>
<t>
This memo updates the definition of the Sieve mail filtering language
"reject" extension, originally defined in RFC 3028.
</t>
<t>
A "Joe-job" is a spam run forged to appear as though it came from an
innocent party, who is then generally flooded by automated bounces,
Message Disposition Notifications (MDNs), and personal messages with
complaints. The original Sieve "reject" action defined in RFC 3028
required use of MDNs for rejecting messages, thus contributing to the
flood of Joe-job spam to victims of Joe-jobs.
</t>
<t>
This memo updates the definition of the "reject" action to allow
messages to be refused during the SMTP transaction, and defines the
"ereject" action to require messages to be refused during the SMTP
transaction, if possible.
</t>
<t>
The "ereject" action is intended to replace the "reject" action
wherever possible.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
The Sieve mail filtering language <xref target="SIEVEBIS" />,
as originally defined in <xref target="SIEVE">RFC 3028</xref>,
specified that the "reject" action shall discard a message and send a
Message Disposition Notification <xref target="MDN" /> to the envelope sender along
with an explanatory message. <xref target="SIEVEBIS">RFC 5228</xref> does not define
any reject action, hence the purpose of this document.
</t>
<t>
This document updates the definition of the "reject" action to permit
refusal of the message during the SMTP transaction, if possible, and
defines a new "ereject" action to require refusal of the message
during the SMTP transaction, if possible.
</t>
<t>
Implementations are further encouraged to use spam-detection systems
to determine the level of risk associated with sending an MDN, and
this document allows implementations to silently drop the MDN if the
rejected message is deemed to be likely spam.
</t>
<t>
Further discussion highlighting the risks of generating MDNs and the
benefits of protocol-level refusal can be found in <xref target="Joe-DoS" />.
</t>
<section title="Conventions Used in This Document">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="KEYWORDS" dwdrfc-type='norm'/>.
</t>
<t>Conventions for notations are as in <xref target="SIEVE" dwdrfc-type='norm'>RFC 3028</xref> Section 1.1.</t>
<t>
This document does not attempt to define spam or how it should be
identified, nor to define an email virus or how it should be
detected. Implementors are advised to follow best practices
and keep abreast of current research in these fields.
</t>
</section>
</section>
<section title="Sieve 'reject' and 'ereject' Extentions">
<section title="Action ereject">
<t>Usage: ereject <reason: string></t>
<t>
Sieve implementations that implement the "ereject" action must use
the "ereject" capability string.
</t>
<t>
The "ereject" action cancels the implicit keep and refuses delivery
of a message. The reason string is a <xref target="UTF-8">UTF-8</xref> string
specifying the reason for refusal. How a message is refused depends
on the capabilities of the mail component (MDA or MTA) executing the
Sieve script. The Sieve interpreter MUST carry out one of the
following actions (listed in order from most to least preferred),
SHOULD carry out the most preferable action, and SHOULD fall back to
lesser actions if a preferred action fails.
</t>
<t>
<list style="numbers">
<t>Refuse message delivery by sending a 5XX response code
over <xref target="SMTP">SMTP</xref> or <xref target="LMTP">LMTP</xref>.
See <xref target="reject-protocol-level" /> for more details.
</t>
<t>Discard the message if a return-path verification clearly
indicates that the message has a forged return-path.
</t>
<t>Send a non-delivery report to the envelope sender
(<xref target="REPORT"/> <xref target="DSN"/>).
See <xref target="reject-dsn" /> for more details.
</t>
</list>
The ereject action MUST NOT be available in environments that do not
support protocol level rejection, e.g. an MUA, and MUST be available
in all other environments that support the reject action.
</t>
<figure><artwork>
Example:
require ["ereject"];
if address "from" "someone@example.com" {
ereject "I no longer accept mail from this address";
}
</artwork></figure>
<section anchor="reject-protocol-level" title="Rejecting a message at the SMTP/LMTP protocol level">
<t>
Sieve implementations that are able to reject messages at the
SMTP/LMTP level MUST do so and SHOULD use the 550 response code. Note
that if a message is arriving over SMTP and has multiple recipients,
some of whom have accepted the message, <xref target="reject-dsn" />
defines how to reject such a message.
</t>
<t>
Note that <xref target="SMTP">SMTP</xref> does not allow non-ASCII characters in the
SMTP response text. If non-ASCII characters appear in the "reason"
string, they can be sent at the protocol level if and only if the
client and the server use an SMTP extension that allows for
transmission of non-ASCII reply text. (One example of such an SMTP
extension is described in <xref target="UTF8-RESP" />.) In the absence of such an
SMTP extension, the Sieve engine MUST replace any reason string
being sent at the protocol level and containing non-ASCII
characters with an implementation-defined ASCII-only string.
</t>
<t>
Users who don't like this behavior should consider using
the "reject" action described in <xref target="action-reject" />, if available.
</t>
<t>
See <xref target="refuse-protocol-level" /> for the detailed instructions about performing
protocol level rejection.
</t>
</section>
<section anchor="reject-dsn" title="Rejecting a message by sending a DSN">
<t>
An implementation may receive a message via SMTP that has more
than one RCPT TO that has been accepted by the server, and at least
one but not all of them are refusing delivery (whether the refusal
is caused by a Sieve "ereject" action or for some other reason).
In this case, the server MUST accept the message and generate DSNs
for all recipients that are refusing it. Note that this exception
does not apply to LMTP, as LMTP is able to reject messages on a per-
recipient basis. (However, the LMTP client may then have no
choice but to generate a DSN to report the error, which
may result in blowback.)
</t>
<t>
Note that according to <xref target="DSN"/>, Delivery Status Notifications MUST NOT
be generated if the MAIL FROM (or Return-Path) is empty.
</t>
<t>
The DSN message MUST follow the requirements of <xref target="DSN"/> and <xref target="REPORT" />
The action-value field defined in <xref target="DSN"/>, Section 2.3.3, MUST contain
the value "failed". The human-readable portion of the non-delivery
report MUST contain the reason string from the "ereject" action and
SHOULD contain additional text alerting the apparent original sender
that the message was refused by an email filter. This part of the
report might appear as follows:
</t>
<figure><artwork>
------------------------------------------------------------
Your message was refused by the recipient's mail filtering program.
The reason given was as follows:
I am not taking mail from you, and I don't want your birdseed,
either!
------------------------------------------------------------
</artwork></figure>
</section>
</section>
<section anchor="action-reject" title="Action reject">
<t>
This section updates the definition of the reject action in Section
4.1 of RFC 3028 and is an optional extension to <xref target="SIEVEBIS"/>.
</t>
<figure><artwork>
Usage: reject <reason: string>
</artwork></figure>
<t>
Sieve implementations that implement the "reject" action must use
the "reject" capability string.
</t>
<t>
The "reject" action cancels the implicit keep and refuses delivery
of a message. The reason string is a <xref target="UTF-8">UTF-8</xref> string
specifying the reason for refusal. Unlike the "ereject" action
described above, this action would always favor preserving the exact
text of the refusal reason. Typically the "reject" action refuses
delivery of a message by sending back an MDN to the alleged sender
(see <xref target="reject-mdn" />). However implementations MAY refuse delivery over
protocol (as detailed in <xref target="refuse-protocol-level" />), if and only if all of the
following conditions are true:
</t>
<?rfc needLines="5" ?>
<t><list style="numbers">
<t>
The reason string consists of only US-ASCII characters
<vspace blankLines="0" /> or <vspace blankLines="0" />
The reason string contains non-US-ASCII and both client and server
support and negotiate use of an SMTP/LMTP extension for sending
UTF-8 responses.
</t>
<?rfc needLines="7" ?>
<t>
LMTP protocol is used
<vspace blankLines="0" /> or <vspace blankLines="0" />
SMTP protocol is used and the message has a single recipient
<vspace blankLines="0" /> or <vspace blankLines="0" />
SMTP protocol is used, the message has multiple recipients,
and all of them refused message delivery (whether using Sieve or
not).
</t>
</list></t>
<figure><artwork>
Example:
require ["reject"];
if size :over 100K {
reject text:
Your message is to big. If you want to send me a big attachment,
put it on a public web site and send me an URL.
.
;
}
</artwork></figure>
<t>
(Pretend that the reason string above contains some non-ASCII text.)
</t>
<section anchor="reject-mdn" title="Rejecting a message by sending an MDN">
<t>
The reject action resends the received message to the envelope sender
specified by the MAIL FROM (or Return-Path) address, wrapping it in
a "reject" form, explaining that it was rejected by the recipient.
</t>
<t>
Note that according to <xref target="MDN"/>, Message Disposition Notifications MUST
NOT be generated if the MAIL FROM (or Return-Path) is empty.
</t>
<t>
A reject message MUST take the form of a failure MDN as specified
by <xref target="MDN"/>. The human-readable portion of the message, the first
component of the MDN, contains the human readable message
describing the error, and it SHOULD contain additional text
alerting the apparent original sender that mail was refused by an
email filter.
</t>
<t>
The MDN disposition-field as defined in the MDN specification MUST
be "deleted" and MUST have the "MDN-sent-automatically" and
"automatic-action" modes set (see Section 3.2.6 of <xref target="MDN"/>).
</t>
<t>
In the following script, a message is rejected and returned to the
alleged sender.
</t>
<figure><artwork>
Example:
require ["reject"];
if header :contains "from" "coyote@desert.example.org" {
reject text:
I am not taking mail from you, and I don't
want your birdseed, either!"
.
;
}
</artwork></figure>
<t>
For this script, the first part of the MDN might appear as follows:
</t>
<figure><artwork>
------------------------------------------------------------
The message was refused by the recipient's mail filtering program.
The reason given was as follows:
I am not taking mail from you, and I don't want your birdseed,
either!
------------------------------------------------------------
</artwork></figure>
</section>
</section>
<section title="Silent upgrade from reject to ereject">
<t>
Implementations MUST NOT silently upgrade reject actions to ereject
actions, however user interfaces may change the specific action underlying
a descriptive representation, thereby effecting a silent upgrade of sorts.
</t>
<t>
Script generators SHOULD ensure that a rejection action being
executed as a result of an anti-spam/anti-virus positive test
be done using the ereject action, as it is more suitable for such
rejections.
</t>
<t>
Script generators MAY automatically upgrade scripts that previously
used the reject action for anti-spam/anti-virus related rejections.
Note that such generators MUST make sure that the target environment
can support the ereject action.
</t>
</section>
<section title="Compatibility with other actions">
<t>
This section applies equally to "reject" and "ereject" actions.
All references to the "reject" action in this section can be replaced
with the "ereject" action.
</t>
<t>
A "reject" action cancels the implicit keep.
</t>
<t>
Implementations MUST prohibit the execution of more than one reject
in a Sieve script.
</t>
<t>
"Reject" MUST be incompatible with the <xref target="VACATION">"vacation"</xref>
action. It is NOT RECOMMENDED that implementations permit the use of
"reject" with actions that cause mail delivery, such as "keep",
"fileinto", "redirect".
</t>
<t>
Making "reject" compatible with actions that cause mail delivery
violates the <xref target="SMTP">RFC 2821</xref> principle that a message is either delivered or
bounced back to the sender. So bouncing a message back (rejecting)
and delivering it will make the sender believe that the message was
not delivered.
</t>
<t>
However, there are existing laws requiring certain organizations to
archive all received messages, even the rejected ones. Also, it can
be quite useful to save copies of rejected messages for later
analysis.
</t>
<t>
Any action that would modify the message body will not have an effect
on the body of any message refused by "reject" using an SMTP response
code and MUST NOT have any effect on the content of generated
DSN/MDNs.
</t>
</section>
<section anchor="refuse-protocol-level" title="Details of protocol level refusal">
<t>
If the "reason" string consists of multiple CRLF separated lines,
then the reason text MUST be returned as a multiline SMTP/LMTP
response, per <xref target="SMTP"/>, Section 4.2.1. Any line MUST NOT exceed the
SMTP limit on the maximal line length. To make the reason string
conform to any such limits the server MAY insert CRLFs and turn the
response into a multiline response.
</t>
<t>
In the following script (which assumes support for the
<xref target="SPAMTEST">spamtest</xref>
and fileinto extensions), messages that test highly positive for spam are refused.
</t>
<figure><artwork>
Example:
require ["ereject", "spamtest", "fileinto",
"comparator-i;ascii-numeric"];
if spamtest :value "ge"
:comparator "i;ascii-numeric" "6" {
ereject text:
AntiSpam engine thinks your message is spam.
It is therefore being refused.
Please call 1-900-PAY-US if you want to reach us.
.
;
} elsif spamtest :value "ge"
:comparator "i;ascii-numeric" "4" {
fileinto "Suspect";
}
</artwork></figure>
<t>
The following excerpt from an SMTP session shows it in action.
</t>
<figure><artwork>
...
C: DATA
S: 354 Send message, ending in CRLF.CRLF.
...
C: .
S: 550-AntiSpam engine thinks your message is spam.
S: 550-It is therefore being refused.
S: 550 Please call 1-900-PAY-US if you want to reach us.
</artwork></figure>
<t>
If the SMTP/LMTP server supports <xref target="ENHANCED-CODES">RFC 2034</xref> it MUST
prepend an appropriate Enhanced Error Code to the "reason" text.
Enhanced Error code 5.7.1 or a more generic 5.7.0 are RECOMMENDED.
With an Enhanced Error Code, the response to DATA command in the SMTP
example below will look like:
</t>
<figure><artwork>
S: 550-5.7.1 AntiSpam engine thinks your message is spam.
S: 550-5.7.1 It is therefore being refused.
S: 550 5.7.1 Please call 1-900-PAY-US if you want to reach us.
</artwork></figure>
<t>
if the server selected "5.7.1" as appropriate.
</t>
<t>
If a Sieve implementation that supports "ereject" does not wish to
immediately disclose the reason for rejection (for example, that it
detected spam), it may delay immediately sending of the 550 error
code by sending a 4XX error code on the first attempt to receive
the message.
</t>
</section>
</section>
<section anchor="changes" title="Changes from RFC 3028">
<t>
Clarified that the "reject" action cancels the implicit keep.
Extended the list of allowable actions on "reject" to include protocol
level message rejection.
</t>
<t>
Added the "ereject" action that is similar to "reject", but will
always favor protocol level message rejection.
</t>
</section>
<section anchor="security" title="Security Considerations">
<t>
The Introduction to this document discusses why rejecting messages
before delivery is better than accepting and bouncing them.
</t>
<t>
Security issues associated with email auto-responders are fully
discussed in the Security Considerations section of <xref target="RFC3834" />. This
document is not believed to introduce any additional security
considerations in this general area.
</t>
<t>
The "ereject" extension does not raise any other security
considerations that are not already present in the base <xref target="SIEVE"/>
specification, and these issues are discussed in <xref target="SIEVE"/>.
</t>
</section>
<section anchor="iana" title="IANA Considerations">
<t>
The following section provides the IANA registrations for the Sieve
extensions specified in this document:
</t>
<section anchor="iana-reject" title="reject extension registration">
<t>
IANA is requested to update the registration for the Sieve "reject"
extension as detailed below:
</t>
<figure><artwork>
Capability name: reject
Description: adds the "reject" action for refusing delivery
of a message. The exact reason for refusal is
conveyed back to the client.
RFC number: this RFC
Contact address: the Sieve discussion list <ietf-mta-filters@imc.org>
</artwork></figure>
</section>
<section anchor="iana-ereject" title="ereject extension registration">
<t>
IANA is requested to replace the preliminary registration of the
Sieve refuse extension with the following registration:
</t>
<figure><artwork>
Capability name: ereject
Description: adds the 'ereject' action for refusing delivery
of a message. The refusal should happen as early
as possible (e.g. at the protocol level) and might
not preserve the exact reason for refusal if it
contains non-US-ASCII text.
RFC number: this RFC
Contact address: the Sieve discussion list <ietf-mta-filters@imc.org>
</artwork></figure>
</section>
</section>
</middle>
<back>
<references title="Normative References">
<dwdrfc-ref anchor='KEYWORDS' src='http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'/>
<dwdrfc-ref anchor='SIEVE' src='http://xml.resource.org/public/rfc/bibxml/reference.RFC.3028.xml'/>
<dwdrfc-ref anchor='SIEVEBIS' src='http://xml.resource.org/public/rfc/bibxml/reference.RFC.5228.xml'/>
<dwdrfc-ref anchor='SMTP' src='http://xml.resource.org/public/rfc/bibxml/reference.RFC.2821.xml'/>
<dwdrfc-ref anchor='LMTP' src='http://xml.resource.org/public/rfc/bibxml/reference.RFC.2033.xml'/>
<dwdrfc-ref anchor='DSN' src='http://xml.resource.org/public/rfc/bibxml/reference.RFC.3464.xml'/>
<dwdrfc-ref anchor='MDN' src='http://xml.resource.org/public/rfc/bibxml/reference.RFC.3798.xml'/>
<dwdrfc-ref anchor='REPORT' src='http://xml.resource.org/public/rfc/bibxml/reference.RFC.3462.xml'/>
<dwdrfc-ref anchor='ENHANCED-CODES' src='http://xml.resource.org/public/rfc/bibxml/reference.RFC.2034.xml'/>
<dwdrfc-ref anchor='UTF-8' src='http://xml.resource.org/public/rfc/bibxml/reference.RFC.3629.xml'/>
<dwdrfc-ref anchor='VACATION' src='http://xml.resource.org/public/rfc/bibxml/reference.RFC.5230.xml'/>
</references>
<references title="Informative References">
<reference anchor="Joe-DoS">
<front>
<title>Mail Non-Delivery Message DDoS Attacks</title>
<author fullname="Stefan Frei"><organization></organization></author>
<author fullname="Ivo Silvestri"><organization></organization></author>
<author fullname="Gunter Ollman"><organization></organization></author>
<date day="5" month="4" year="2004" />
<abstract><t>http://www.techzoom.net/paper-mailbomb.asp:
http://www.techzoom.net/papers/mail_non_delivery_notice_attacks_2004.pdf</t></abstract>
</front>
</reference>
<dwdrfc-ref anchor='RFC3834' src='http://xml.resource.org/public/rfc/bibxml/reference.RFC.3834.xml'/>
<dwdrfc-ref anchor='SPAMTEST' src='http://xml.resource.org/public/rfc/bibxml/reference.RFC.5235.xml'/>
<dwdrfc-ref anchor='UTF8-RESP' src='http://xml.resource.org/public/rfc/bibxml3/reference.I-D.melnikov-smtp-lang.xml'/>
</references>
<section anchor="acknowledgements" title="Acknowledgements">
<t>
Thanks to Ned Freed, Cyrus Daboo, Arnt Gulbrandsen, Kristin Hubner,
Mark E. Mallett, Philip Guenther, Michael Haardt, and Randy Gellens
for comments and corrections.
</t>
<t>
The authors gratefully acknowledge the extensive work of Tim
Showalter as the author of the RFC 3028, which originally defined
the "reject" action.
</t>
</section>
</back>
<!-- Change log
<<NOTE to the RFC editor: please delete this section before
publication.>>
00 First formal draft.
01 Explicit RFC 2034 support, disallow "refuse" in MUAs, typos
corrected, clarifications, etc.
02 Many insubstantial editorial changes (mostly rewording text for
readability). Added text regarding non-ASCII characters in the
refuse "reason" string. Added an exception allowing return-path
forgery to justify discarding a message.
03 (Renamed to be SIEVE WG 00) - Updated boilerplate, added reject
action from the base spec, acknowledged Tim as the author of
"reject".
04 (SIEVE WG 01) Based on WGLC feedback, the refuse and the reject
actions were merged into a single action called reject. Text
reorganized as the result. Typos and examples corrected. Updated
IANA registration and Security Considerations sections.
05 (SIEVE WG 02) Copied some security considerations from Vacation
draft. Clarified that the "reason" string is in UTF-8. Clarified
interaction with "editheader" extension. Added text about sending
of 4XX instead of 550. Corrected typos in several examples.
06 (SIEVE WG 03) Explicitly list all actions incompatible w/
reject. Added two paragraphs explaining why reject SHOULD (as
opposed to MUST/MAY) be incompatible with them. Clarified that if
the reason string contains non-ASCII and rejection over protocol
is possible, then the reason string MUST be replaced with an
implementations defined ASCII-only string. Added :exacttext
optional argument that preserves UTF-8 reason string by forcing
generation of DSN.
07 (SIEVE WG 04) Removed special handling of empty return path.
Several editorial changes from Randy Gellens.
Clarified :exacttext applicability, removed redundancy. Reverted
SHOULD NOT send MDNs back to MUST NOT send MDNs of earlier drafts
(section 3.1.3).
08 (SIEVE WG 05)
Reformatted the text to use no more than 72 characters per line.
Reverted back to two actions (reject and ereject), as per
consensus at the IETF 67. Major text update/rewrite as the
result. Changed the order of actions that can be performed by
ereject: protocol level rejection should always be first,
followed by "accept and discard" for the case of faked return
path. Added more details on how DSN reports should be generated.
09 Editorship of this document taken over by Aaron Stone. Many
general edits, including clarifications and grammar and spelling
corrections. Updated boilerplate to RFC 4748. Nits identified.
Republished for the first time in a long time.
10 Reformatted into XML. Rearranged order of sections. Resolved
all extant editorial issues in SIEVE WG session at IETF 70.
11 Accepted comments following WGLC from Ned Freed and Mattew Elvey.
Updated references to SIEVEBIS, VACATIONBIS and SPAMBIS.
-->
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 11:32:41 |