Internet Draft                                                M. Elvey
Document: draft-ietf-sieve-refuse-reject-00 draft-ietf-sieve-refuse-reject-01     The Elvey Partnership,LLC Partnership,
                                                                   LLC
Expires: November 2005 September 2006                                    A. Melnikov
                                                             Isode Ltd
   The SIEVE mail filtering language - reject and refuse extensions
                    draft-ietf-sieve-refuse-reject

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other
   documents at any time. It is inappropriate to use Internet-Drafts
   as reference material or to cite them other than as "work in
   progress."

   The list of current Internet-Drafts can be accessed at
        http://www.ietf.org/ietf/1id-abstracts.txt
   The list of Internet-Draft Shadow Directories can be accessed at
        http://www.ietf.org/shadow.html.

   A revised version of this draft document will be submitted to the
   RFC editor as a Proposed Standard for the Internet Community.
   Discussion and suggestions for improvement are requested.
   Distribution of this draft is unlimited.

Abstract

   This memo defines the SIEVE mail filtering language [SIEVE] (RFC
   <<3028bis>>) "reject" and "refuse" extensions. extension.

   A Joe-job is a spam run forged to appear as though it came from an
   innocent party, who is then generally flooded by the bounces, MDNs
   Message Disposition Notifications (MDNs) and messages with
   complaints.  With the  The original Sieve "reject" action, action defined in RFC 3028
   required use of MDNs
   contribute for rejecting messages, thus contributing to
   the flood of Joe-job spam to victims of Joe-jobs;
   SMTP level refusals usually don't.  With "refuse", Sieve gains the
   ability Joe-jobs.  This document
   updates definition of "reject" to simply not accept an email allow for rejecting messages
   during the SMTP transaction
   (instead of accepting it and then sending an MDN [MDN] back to the
   alleged sender using "reject"). transaction.

Table of Contents

  1. Introduction                                                   4                                                   3
  2. Conventions Used in this Document                              4                              3
  3. Discussion of finer points                                     4
  4. SIEVE "reject" extension                                       5
     4.1                                       4
     3.1 Action reject                                              5
     4.2                                              4
     3.2 "reject" compatibility with other actions                  6
  5. SIEVE "refuse" extension                                       6
     5.1 Action refuse                                              6
     5.2 "refuse" compatibility with other actions                  7
     5.3 Explicit accomodation for servers that support Enhanced
     Error Codes [ENHANCED-CODES]                  7
  6.
  4. Security Considerations                                        8
  7.                                        7
  5. IANA Considerations                                            8
     7.1                                            7
     5.1 reject extension registration                              8
     7.2                              7
     5.2 refuse extension registration                              8
  8.
  6. References                                                     9
     8.1                                                     8
     6.1 Normative References                                       9
     8.2                                       8
     6.2 Informative References                                     9
  9.                                     8
  7. Acknowledgments                                                9
  10.                                                8
  8. Author's Addresses                                           10
  11.                                             9
  9. Intellectual Property Rights Statement                       10
  12.                         9
  10. Full Copyright Statement                                     11
  13.                                     10
  11. Changes from RFC 3028                                        11
  14.                                        10
  12. Change Log                                                   11                                                   10

1.   Introduction

   The SIEVE mail filtering language [SIEVE] "reject" action defined
   in RFC 3028 only allows users to refuse delivery of a message by
   sending an [MDN].

   This document updates definition of the "reject" action was originally defined in RFC 3028 [SIEVE].

   The "refuse" extension, if supported, permits to permit
   users to handle unwanted email in a way that is sometimes
   preferable to the existing 'discard' and the original 'reject'
   capabilities.  When a spam-
   detection spam-detection system suspects a message is
   spam, but isn't certain, discarding the email is considered too
   risky for some users, for example, those who receive sales leads by
   email. They are willing to use the reject command. Users are
   willing to reject but not discard because the sender of an email
   incorrectly marked as spam will receive a notification that the
   email was refused, and will likely try again to contact the
   intended recipient, perhaps via another method of communication.
   Unfortunately, this usage is problematic, because in the usual
   case, the email is indeed spam, and the alleged sender to whom the
   MDN caused by the reject will be sent will often be an innocent Joe-job Joe-
   job victim.  "Refuse" is
   intended to be superior to The updated "reject" because it will be is less likely to result in email
   to an innocent victim.  "Refuse" refuses victim, because it allows to refuse to accept an
   email for delivery instead of accepting it and then sending an MDN.
   Much spam is sent through open proxies, so
   "refuse" SMTP level refusal
   reduces Joe-job bounces (AKA backscatter) resulting from usage of reject.
   "Refuse"
   MDNs. The updated "reject" will also reduce Joe-jobs caused by
   virus self-propagation via emails with false sender information.  "Refuse"
   SMTP level refusal may conserve bandwidth, by reducing the number
   of MDNs sent. Further discussion highlighting the risks of "reject"
   generating MDNs and the benefits of "refuse" protocol level refusal can be
   found in [Joe-DoS].

2.   Conventions Used in this Document

   Conventions for notations are as in [SIEVE] section 1.1, including
   use of [KEYWORDS].

   This document does not attempt to define what exactly constitutes a
   spam or virus containing email or how it should be identified, or
   what actions should be taken when detected.

3.   Discussion of finer points   SIEVE "reject" extension

   SIEVE implementations that implement the "reject" action must use
   the "reject" capability string.

3.1  Action reject

      Usage:   reject <reason: string>

   The "refuse" "reject" action MUST refuse to accept an email for delivery at cancels the SMTP/LMTP level by returning implicit keep and refuses delivery
   of a 5XX reply code, instead message. How message is refused depends on capabilities of
   sending an MDN
   mail component (MUA, MDA or MTA) executing the Sieve script. The
   Sieve interpreter must do one of the following actions, as required detailed
   by the "reject" action, other than for
   the two exceptions specified below.  A SIEVE implementation following priority table (items listed earlier take
   precedence). Note that
   cannot do so MUST NOT claim to support the refuse extension.

   There is an exception when a message has multiple valid recipients,
   and at least one but if action can not all of them are refusing delivery (whether
   the refusal is caused by execution of a Sieve "refuse" be taken or for
   another reason). In this case, fails, the server MUST accept
   interpreter should try the next item in the list:

     1.   If message
   and generate DSNs for all recipients that are refusing it. Note
   that this exception only applies to SMTP, as LMTP return-path (MAIL FROM) is able to reject
   messages on a per-recipient basis. empty the message MAY be
          accepted and discarded.
     2.   If a "refuse" "reject" implementation performs a return-path
          verification and it clearly indicates that the message has a
          forged return-path, the implementation need not refuse to accept the mail, mail
          delivery, but rather MAY accept and discard it.

   The "reject" action
     3.   Message delivery is defined so that it can be used by
   implementations unable to implement "refuse" (i.e. refused by MUAs) or sending 5XX response code over
          SMTP/LMTP. See section 3.1.1 for
   backwards compatibility with scripts based on RFC3028. more details.
     4.   SIEVE "reject" extension

   SIEVE implementations that implement the "reject" action must use
   the "reject" capability string.

4.1  Action reject

      Syntax:   reject <reason: string>

   The "reject" action refuses   Message delivery of is refused by sending a message non delivery report
          (DSN). See section 3.1.2 for more details.
     5.   Message delivery is refused by sending back
   an [MDN] to the sender. The "reject" action also cancels the
   implicit keep.  It resends the a message disposition
          notification report (MDN). See section 3.1.3 for more details.

3.1.1 Rejecting message at SMTP/LMTP protocol level

   Sieve engines that are able to the sender, wrapping it
   in a "reject" form, noting reject messages at SMTP/LMTP level
   SHOULD use 550 response code. Note that it was rejected by the recipient.
   In is not always possible
   to do that, for example if the following script, a message is rejected arriving over SMTP and returned to
   has multiple recipients, some of which have accepted the
   sender.

   Example:
             require ["reject"]

             if header :contains "from" "coyote@desert.example.org" {
                reject "I am not taking mail from you, and I don't
                want your birdseed, either!";
             }

   A message.
   See section 3.1.2 for recommendations on how to reject message MUST take the form of a failure MDN as specified
   by [MDN]. The human-readable portion of the message, the
   first component of the MDN, contains the human readable message
   describing the error, and it SHOULD contain additional text
   alerting the original sender that mail was refused by a filter.
   This part of the MDN might appear as follows:

   ------------------------------------------------------------
   The message was refused by the recipient's mail filtering program.
   The reason
   given was as follows:

   I am not taking mail from you, and I don't want your birdseed,
   either!
   ------------------------------------------------------------

   The MDN action-value field as defined in the MDN specification MUST
   be "deleted" and MUST have the MDN-sent-automatically
   such case.

   <<Open issue: do we want to allow for non-ascii text below and automatic-
   action modes set.

4.2  "reject" compatibility with other actions

   A "reject" action cancels the implicit keep.

   Implementations MUST prohibit more than one reject in do
   we need a SIEVE
   script. "Reject" is also incompatible way to control "reject with the "refuse" and
   "vacation" [VACATION] extensions.

   Implementations SHOULD prohibit reject when used DSN containing non-ascii
   text" versa "replace non-ascii characters with other
   actions.

5.   SIEVE "refuse" extension

   SIEVE implementations that implement the "refuse" action must use
   the "refuse" capability string.

5.1  Action refuse

      Syntax:   refuse <reason: string>

   The "refuse" action refuses delivery of a message by sending back
   the 550 SMTP response code to an SMTP client.

   This extension can be only supported by a Sieve implementation
   running in an MTA. ?">>
   Note that SMTP [SMTP] doesn't allow for non-ASCII characters in
   SMTP response text. It is an error for non-ASCII characters to
   appear in the "reason" string (unless the client and the server use
   an SMTP extension that allows for transmission of non-ASCII reply
   text; such an extension is not known to the authors).
   text).

   If the "reason" string is multiline, than the reason text MUST be
   returned as a multiline SMTP/LMTP response, per [SMTP], section
   4.2.1.

   In the Any line MUST NOT exceed the SMTP limit on the maximal line
   length. To make the reason string conform to any such limits the
   server MAY insert CRLFs and turn the response into multiline
   response.

   In the following script (which assumes support for the spamtest
   extension), and
   fileinto extensions), messages that test highly positive for spam
   are refused.

      Example:
      require ["refuse", "spamtest"] ["reject", "spamtest",
      "comparator-i;ascii-numeric", "fileinto"]

      if spamtest :value "ge" :comparator "i;ascii-numeric" "6" {
                   refuse text:
   SpamAssassin
   AntiSpam engine thinks the your message is spam.
   It is therefore being refused.
   Please call 1-900-PAY-US if you want to reach us.
   .
                            ;
      } elsif spamtest :value "ge" :comparator "i;ascii-numeric" "4" {
                   fileinto "Suspect";
                  }

   The following excerpt from an SMTP session shows it in action.
   ...
   C: DATA
   S: 354 Send message, ending in CRLF.CRLF.
    ...
   C: .
   S: 550-SpamAssassin 550-AntiSpam engine thinks the your message is spam.
   S: 550-It is therefore being refused.
   S: 550 Please call 1-900-PAY-US if you want to reach us.

5.2  "refuse"

   If the SMTP/LMTP server supports RFC 2034 [ENHANCED-CODES] it MUST
   prepend an appropriate Enhanced Error Code to the "reason" text.
   Enhanced Error code 5.7.1 or a more generic 5.7.0 are RECOMMENDED.
   With Enhanced Error Code the response to DATA command in the SMTP
   example below will look like:

     S: 550-5.7.1 AntiSpam engine thinks your message is spam.
     S: 550-5.7.1 It is therefore being refused.
     S: 550 5.7.1 Please call 1-900-PAY-US if you want to reach us.

   if the server selected "5.7.1" as appropriate.

3.1.2 Rejecting message by sending DSN

   If the implementation receives a message via SMTP that has more
   than one RCPT TO that has been accepted by the server, and at least
   one but not all of them are refusing delivery (whether the refusal
   is caused by execution of a Sieve "reject" or for another reason).
   In this case, the server MUST accept the message and generate DSNs
   for all recipients that are refusing it. Note that this exception
   does not apply to LMTP, as LMTP is able to reject messages on a per-
   recipient basis.

3.1.3 Rejecting message by sending MDN

   When Sieve engine is running inside MUA it has no ability to reject
   the message before it was delivered, as the message is already
   deliverd. In this case the client should send a Message Disposition
   Notification [MDN] back to the sender. It resends the message to
   the sender as specified in the Return-Path header field, wrapping
   it in a "reject" form, noting that it was rejected by the
   recipient.  In the following script, a message is rejected and
   returned to the sender.

   Example:
                require ["reject"]

                if header :contains "from" "coyote@desert.example.org"
   {
                reject text:
   I am not taking mail from you, and I don't
   want your birdseed, either!"
   .
                ;
             }

   A reject message MUST take the form of a failure MDN as specified
   by [MDN]. The human-readable portion of the message, the first
   component of the MDN, contains the human readable message
   describing the error, and it SHOULD contain additional text
   alerting the original sender that mail was refused by a filter.
   This part of the MDN might appear as follows:

   ------------------------------------------------------------
   The message was refused by the recipient's mail filtering program.
   The reason
   given was as follows:

   I am not taking mail from you, and I don't want your birdseed,
   either!
   ------------------------------------------------------------

   The MDN action-value field as defined in the MDN specification MUST
   be "deleted" and MUST have the MDN-sent-automatically and automatic-
   action modes set.

3.2  "reject" compatibility with other actions

   "Refuse"

   A "reject" action cancels the implicit keep, and is incompatible with
   "reject" and "discard". "Refuse" keep.

   Implementations MUST prohibit the execution of more than one reject
   in a SIEVE script. "Reject" is also incompatible with the
   "vacation" [VACATION] action. extensions.

   Any action that would modify the message body will necessarily not have no effect
   on the body of any message refused by "refuse" "reject" using the 550 SMTP
   response code.
   If a script attempts to "refuse" the same message more than once,
   the implementation may ignore the later attempts or consider it
   an error."

5.3  Explicit accomodation for servers that support Enhanced Error
    Codes [ENHANCED-CODES]

   This section only concerns implementations that support Enhanced
   Error Codes.

   If the server supports RFC 2034 [ENHANCED-CODES] it MUST select an
   appropriate Enhanced Error Code (e.g. 5.7.1 or a more generic
   5.7.0) and prepend it to the "reason" text. I.e. code <<and might not have any effect on such an
   implementation, the example in section 4.1 would show up in SMTP
   as:

     550-5.7.1 SpamAssassin thinks the message is spam.
     550-5.7.1 It is therefore being refused.
     550 5.7.1 Please call 1-900-PAY-US if you want to reach us.

   if the server selected "5.7.1" as appropriate.

6. context of
   generated DSN/MDNs>>.

   Implementations SHOULD prohibit reject when used with other
   actions.

4.   Security Considerations

   The "refuse" "reject" extension does not raise any security considerations
   that are not present in the base [SIEVE] protocol, and these issues
   are discussed in [SIEVE].

7. <<Mail loops>>

   The Introduction section talks about why rejecting messages before
   delivery is better then accepting and bouncing them.

5.   IANA Considerations

   The following section provides the IANA registrations for the Sieve
   extensions specified in this document:

7.1

5.1  reject extension registration

   IANA is requested to update the registration for the SIEVE "reject"
   and "refuse" extensions
   extension to point to this document.

   <<Update Tim's
   IANA is also requested to update Tim Showalter's email address as well?>>

7.2 to
   be
     tjs@psaux.com

5.2  refuse extension registration

   To: iana@iana.org
   Subject: Registration

   IANA is requested to remove registration of new Sieve extension

   Capability name: refuse
   Capability keyword: the refuse
   Capability arguments: N/A
   Standards Track/IESG-approved experimental RFC number: this RFC
   Person and email address to contact for further information:

       Matthew Elvey
       The Elvey Partnership, LLC
       3042 Sacramento-ietf St Ste 04
       San Francisco, CA
       U.S.A.

       <mailto:sieve3@matthew.elvey.com>

8. extension.

6.   References

8.1

6.1  Normative References

   [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
   Requirement Levels", RFC 2119, March 1997.

   [SIEVE] Showalter, "Sieve: A Mail Filtering Language", RFC 3028,
   January 2001. T. and P. Guenther, P., "Sieve: An Email Filtering
   Language", Work-in-
   progress, Work-in-progress, draft-ietf-sieve-3028bis-XX.txt

   [SMTP] Klensin, J. (Editor), "Simple Mail Transfer Protocol", AT&T
   Laboratories, RFC 2821, April 2001.

   [LMTP] Myers, J., "Local Mail Transfer Protocol", Carnegie-Mellon
   University, RFC 2033, October 1996.

   [DSN] Moore , K., Vaudreuil, G., "An Extensible Message Format for
   Delivery Status Notifications", University of Tennessee, Lucent
   Technologies, RFC 3464, January 2003.

   [MDN] Fajman, R., "An Extensible Message Format for Message
   Disposition Notifications", National Institutes of Health, RFC
   2298, March 1998.

   [ENHANCED-CODES] Freed, N., "SMTP Service Extension for Returning
   Enhanced Error Codes", Innosoft, RFC 2034, October 1996.

8.2

6.2  Informative References

   [Joe-DoS] Stefan Frei, Ivo Silvestri, Gunter Ollmann, "Mail Non
   Delivery Message DDoS Attacks", 5 April 2004",
   <http://www.techzoom.net/paper-mailbomb.asp>.

9.

   [SPAMTEST] Daboo, C., "SIEVE Email Filtering: Spamtest and
   Virustest Extensions", work in progress, draft-ietf-sieve-
   spamtestbis-XX.txt
   <<Note that this reference can be safely replaced with RFC 3685.>>

7.   Acknowledgments

   Thanks to Ned Freed, Cyrus Daboo, Arnt Gulbrandsen, Kristin Hubner,
   Mark E. Mallett and Mallett, Philip Guenther and Michael Haardt for comments
   and corrections.

   The authors gratefully acknowledge the extensive work of Tim
   Showalter as the author of the RFC 3028, which originally defined
   "reject".

10.

8.   Author's Addresses

   Matthew Elvey
   The Elvey Partnership, LLC
   3042 Sacramento-ietf St Ste 04
   San Francisco, CA
   U.S.A.

   Email: sieve3@matthew.elvey.com

   Alexey Melnikov
   Isode Limited
   5 Castle Business Village
   36 Station Road
   Hampton, Middlesex, TW12 2BX
   UK

   Email: Alexey.Melnikov@isode.com

11.

9.   Intellectual Property Rights Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed
   to pertain to the implementation or use of the technology described
   in this document or the extent to which any license under such
   rights might or might not be available; nor does it represent that
   it has made any independent effort to identify any such rights.
   Information on the procedures with respect to rights in RFC
   documents can be found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use
   of such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository
   at http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at ietf-
   ipr@ietf.org.

12.

10.  Full Copyright Statement

   Copyright (C) The Internet Society (2005). (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on
   an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
   THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
   ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
   PARTICULAR PURPOSE.

   Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.

13.

11.  Changes from RFC 3028

  Clarified that the "reject" action cancels the implicit keep.

14.
  Extended list of allowable actions on reject to include protocol
  level message rejection and generation of DSNs.

12.  Change Log

  <<Note that this section will be deleted before publication.>>

   00   First formal draft.
   01   Explicit RFC 2034 support, disallow "refuse" in MUAs, typos
        corrected, clarifications, etc.
   02   Many insubstantial editorial changes (mostly rewording text for
        readability). Added text regarding non-ASCII characters in the
        refuse "reason" string. Added an exception allowing return-path
        forgery to justify discarding a message.
   03   (Renamed to be SIEVE WG 00) - Updated boilerplate, added reject
        action from the base spec, acknowledged Tim as the author of
        "reject".
   04   (SIEVE WG 01) Based on WGLC feedback, the refuse and the reject
        actions were merged into a single action called reject. Text
        reorganized as the result. Typos and examples corrected. Updated
        IANA registration and Security Considerations sections.