From owner-freebsd-questions@FreeBSD.ORG Sun Mar 11 21:12:55 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9920316A401 for ; Sun, 11 Mar 2007 21:12:55 +0000 (UTC) (envelope-from chad@shire.net) Received: from hobbiton.shire.net (mail.shire.net [166.70.252.250]) by mx1.freebsd.org (Postfix) with ESMTP id 85C7513C487 for ; Sun, 11 Mar 2007 21:12:55 +0000 (UTC) (envelope-from chad@shire.net) Received: from [67.171.127.191] (helo=[192.168.99.68]) by hobbiton.shire.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.51) id 1HQVLa-000Gsd-UU; Sun, 11 Mar 2007 15:12:55 -0600 In-Reply-To: <20070311165028.S44863@simone.iecc.com> References: <20070311200829.31802.qmail@simone.iecc.com> <0AC225E6-E55D-4C20-9A00-2EDD95985848@shire.net> <20070311165028.S44863@simone.iecc.com> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <3A34E823-ECE3-4CE9-AD0B-84580699CF41@shire.net> Content-Transfer-Encoding: 7bit From: "Chad Leigh -- Shire.Net LLC" Date: Sun, 11 Mar 2007 15:12:53 -0600 To: John L X-Mailer: Apple Mail (2.752.2) X-SA-Exim-Connect-IP: 67.171.127.191 X-SA-Exim-Mail-From: chad@shire.net X-SA-Exim-Scanned: No (on hobbiton.shire.net); SAEximRunCond expanded to false Cc: freebsd-questions@freebsd.org Subject: Re: Tool for validating sender address as spam-fighting technique? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2007 21:12:55 -0000 On Mar 11, 2007, at 2:55 PM, John L wrote: >> I phrased it wrong. You are not responsible for the content, but >> you are responsible for the mail domain and that includes >> verifying that mail is validly from your domain you are >> responsible for. > > Oh, OK. So if someone sends pump and dump with a chad@shire.net > return address, and I do a callback and your MTA says "yup! that's > a 100% valid address!" then I turn you in to the SEC, rignt? You do know what the SEC is, right? > You have now confirmed that the mail is from you, after all. No, it only confirms that the sender address is an actual address. > Or if you haven't, what purpose did the callback serve? > It served to identify that it is possible a valid email. A failure is almost definitely a non valid email. It is a test which helps determine whether to accept it. We have a policy of not accepting mail from people who cannot accept DSNs back. That does not mean we give a blanket pass to those who pass address verification. > There is some reasonable validation technology coming along, most > notably DKIM which which I presume you are familiar. But callbacks > are not it. Callbacks are one tool in the toolbox. Maybe someday there will be better tools and we can retire address verification. Callbacks, at this point in time, work very well for differentiating a large amount of non valid mail from a smaller pool of possibly valid mail. DKIM is interesting and I am watching it. I am in the process of adding some support for it btw, both for our authorized senders, as well as in our receive phase. For example, we are considering not doing address verification on incoming mail that has a valid DKIM signature. > > >> and you are breaking the RFCs. (valid verification includes >> checking that the sender can accept a proper DSN back, which is >> required of the sender to do). > > Uh huh. Which RFC is this that says I have to permit a fake > partial DSN transaction? If you have a DSN, send it. If you > don't, don't. The RFCs require you to accept back DSNs. Testing that you do is a valid test to see if I am talking with a valid sender -- one who implements the RFCs and is not a rogue internet user who does not cooperate in the exchange of emails according to the agreed standards. Show me some real verifiable numbers that show that verification traffic to your box is a significant portion of the otherwise bad traffic of mail bombs, bounces, etc. On my system, and we support a lot of mail domains, some of which (now or in recent past) we "big name" domains that had a lot of exposure. Address verification traffic has always been small compared to our overall load. You are complaining about a non issue. I can say that address verification helps us reject the lion's share of spam we receive without having to process it further. Chad > > Don't forget that the From: line address need not be the same as > the bounce address; in my mail it never is. > > R's, > John --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net