Do not reuse timed out IP addresses in the STARTTLS test

[gthess]

There is a case that mail administrators advertise IP addresses that always timeout in order to deter spammers. When such an IP is encountered it should be ignored for further connections.

[baknu]

@gthess: Do we have an example domain?

It seems impossible to differentiate between mail servers that have intended unreachability and mail servers that have an outage. So, this probably means that we can not fix this.

[gthess]

Not anymore I am afraid. This issue is not for ignoring those addresses. Rather for marking them as timed out and prevent further connections to them so as to not slow down and possibly fail the test altogether due to test time limits.

[baknu]

@gthess Ok. However an address that 'times out' today could be reachable tomorrow. So for how long do we ignore these 'timed out' addresses?

[gthess]

Only for the duration of the test. So if it timed out, ignore for the rest of the connections. The same result (non reachable?) will be given while the results are cached. After that the address will be tested again. This is only for not wasting testing time on addresses that time out.

Also IIRC this is specifically for timeout addresses where the connection is made but then purposely kept open. Not for unreachable addresses.

[baknu]

Ah ok, much clearer. Is mailbox.org an example domain?

[gthess]

I don't think so. All MXs work for me. IIRC what I saw was the most preferred MX to be timing out and the rest being the real ones. I'll try to see if I can dig up an earlier email.

[sinteur]

I recall the same. Apparently it is a modern anti-spam technique and spam botnets only try the most preferred MX.

[baknu]

Does this issue relate to the below situation that is descibed in this mail to the DANE-users mailing list:

Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.

[gthess]

Maybe, if those hosts are configured to time out and not just refuse the connection straight away.