Too many addresses in To field?

How many recipients would you consider too much?

Today I get a spam with 1,302 entries in the To field. Obviously that's too many.

How many would you think is too many?

Jeff

We have a rule set up that no non-server IP can send more than 150 emails in 5 minutes. If this rule is triggered the offending IP is blocked for 6 hours. This rule has caused issues with some organization's newsletter(s), but it has made us aware of who sends bulk email and why.

All this said, I will point out that we no longer use our DA box to handle inbound email.

That's not what I'm asking. I'm not sure how you can be sure what's a server and what isn't; do you mean authenticated vs unauthenticated?

I'm asking about the number of entries specifically in a recipient field, such as To or Cc.

Not even in the envelope recipient list, but in one of those fields.

Jeff

To attempt to clarify my initial response to your question. When I said 'server' I was meaning SMTP process starting from my local network. I expect email messages from a limited # of IPs for instance my DA server so I whitelist those IPs. We use authentication on SMTP for email destination to remote servers but this is still affected by the 150 rule unless their IP is whitelisted.

My personal opinion to answer your question would be 2. The 'to' line should have one email and one only. We have CC and BCC to send multiple copies to other email addresses. That being to hard to swallow I would say a user typing in emails into a 'to' line would probably get tried around 10.

Is there a limit in the original RFC?

One only? I regularly use up to three or four, occasionally more.

Why?

Politics. The person in the Cc line may feel slighted.

Ten? Perhaps.

On another note: got any exim.conf code to share with us ?

Jeff

Jeff

I don't know about the web-interface email clients, but I have several email users who use the "to" box for everything. I've told them about CC and BCC, but they don't really care. They easily go past 10 on a regular basis because they are running MS Outlook, and have groups setup (friends, jokes, work, etc). The group is put in the "to" box. Then all the people of that group is expaned out. I would think that if email users can't drop in their group list they might get annoyed. I had my limit set before at 75, and only once in a while did I have a request for more (and that was simply to notify EVERYBODY they had a new email address).

Where is this setting in DA?

There isn't. It's something I can look into doing if it's an issue. When I got so many at once in a To field, I decided to ask if it was an issue.

Jeff

I also tried to instruct my users/clients how to send mail to multiple receivers, 1 in the TO, the others in CC. But as said by donkeykick, they just drop a group in the TO field, thus creating a mail to over 50 people.

If you should limit this number on the server you will probably have about 50% of your clients complaining they cannot send or receive these mails.

Note that in my original post I saw a spam to me with 1,302 recipients in the To field, that made it through.

Surely 1,302 is too much?

So my question is what isn't?

Jeff

I'd say probably anything over 100 - 200 is too much.

RFC 2821 answers this question

http://www.ietf.org/rfc/rfc2821.txt extracted 4.5.3.1 Size limits and minimums

recipients buffer
The minimum total number of recipients that must be buffered is
100 recipients. Rejection of messages (for excessive recipients)
with fewer than 100 RCPT commands is a violation of this
specification. The general principle that relaying SMTP servers
MUST NOT, and delivery SMTP servers SHOULD NOT, perform validation
tests on message headers suggests that rejecting a message based
on the total number of recipients shown in header fields is to be
discouraged. A server which imposes a limit on the number of
recipients MUST behave in an orderly fashion, such as to reject
additional addresses over its limit rather than silently
discarding addresses previously accepted. A client that needs to
deliver a message containing over 100 RCPT commands SHOULD be
prepared to transmit in 100-recipient "chunks" if the server
declines to accept more than 100 recipients in a single message.

Click to expand...

The title of this thread, which was Too many recipients?, makes my question unclear; I've just given the thread a new title.

Because recipients as defined in the RFCs is NOT what I'm referring to. I'm referring to NOT recipients, but email addresses listed in the "To:" field and/or the "Cc:" field. In my total experience only spammers (amateur spammers at that) ever use the "To:" and the "Cc:" fields.

Jeff

Jeff,

Now you have confused me. How can any email address in the to or cc field not be a recipient? If the email address is bad, some server had to find out it was bad. And if the envelope addresses (recipients) does not match the 'to:' listed in the email then the message is at least from a misconfigured server or a positive spammer.

I am not trying to argue, I just don't see the difference. Hope there is no hard feelings.

Brian

You can type whatever you want in the To field. It's just a field. Nothing in RFCs considers it. Nothing in our configuration of exim even looks at it.

Yes, they're often the same, but that's only because the rather simplistic email clients on our desktops ask for the To, Cc, and Bcc fields, and create the recipient lists from the contents of those fields.

Think of it similarly to a business letter you get in the mail.

The recipient list is what's on the envelope.

The To field is similar to the "inside address" which many business letters have above the salutation. It doesn't even get read until you open the envelope. Which in our email world is the same as opening the email on your desktop. (Or at least seeing it on your desktop.)

Of course there aren't any hard feelings. It was my misnaming of the thread which was getting me confused and confusing answers.

Jeff

I would have to agree with jlandes 100 ~ 200 should be enough for the groups most users have.

I do wonder one thing, was the 1300 message spam, was that a user of yours ignoring your TOS or was it something more devious?

I have 1 client who has over 20,000 contact in his outlook.... yea, I know that is very high, but what would happen if he tried to notify everyone in his list he just got a new email address and wanted to bulk-notify everyone? I just checked my contacts list, and found 600 entries. Maybe something extra should be looked at besides the # in the to box... seeing how contact lists seem to only get larger over time.

Again, I think you're missing the point. It's not how many recipients there are for the messages; that's in the RFCs. It's how many we should allow seeing in the To" field, before we decide to bounce the email as spam.

The email with 1303 email addresses in the To field was spam. Of course spam may be sent out with more or less messages as recipients, and this message could have been fully RFC compliant, and many receiving servers may have accepted the first 100 recipients at their domain (if any such group of 100 or more existed) and then silent discarded, or refused, the rest.

None of this has anything to do with the amount of email addresses a sender puts into the To field.

Maybe I should just forget about it. The thing I saw when I got the email was that there was such a large header field displayed by my email client's preview pane that I would have had to open the email to read it, and risk infection, etc., if the mail was dangerous. So it could be just another spammer tactic; most of us would click on the email to read it rather than scroll down in the preview screen.

I guess the best thing to do with this thread is let it die.

Jeff

Jeff,

I may be incorrect in my statement here, but I believe that I recall someone telling me at one point that viewing a message in the preview pane of your mail client is the same as opening the message. Our security team recommended that we turn off the preview pane for that reason. You might want to check into that, as I don't want to see you accidentally infect yourself with something. Hope this helps.

I heard the same thing as jlandes, about 8 years ago (seriously, with outlook 98 or 2000). I kinda thought they addressed that and fixed it though. Maybe not.

I think I understand your question though, Jeff.

You had a email come in with 1300 addresses in the to box, and your email client decided to display the entire list, and in order to see the email, you would have to open the email. Annoying.

Outlook restricts the size of the to box to 4 lines in the previewer, and 4 lines in the actual email. If the number of addresses is great then that, it does a scroller, but still only 4 lines viewable. The message is still easily viewable regardless of the number of addresses in the "to" box. While many here might not like Outlook, the handling of this issue seems very eligant.

That said, users might want to be able to see all these users for a sad form of proof they sent emails to all those people (collaboration). Maybe display a few, but if the # gets to large dump them in a text attachment or do a scroller or something... or possible put a large to list at the bottom instead of at the top.

Jeremy, I don't get infected (at least not yet, I run Linux desktops). I worry about others. Our email client shows raw html only in the preview pane, so we wouldn't get infected even by some kind of Linux or cross-platform malware.

donkeyKICK, I understand your point but since 1300 could mean well over 100 would be sent to a given domain and actually received anyway if the RFCs are followed, then there's really no proof anywhere, anyhow .

I think it's time to give up on the idea; the only interest it appears to have garnered is from semanticists.

Jeff