Re: Tool for validating sender address as spam-fighting technique?

[ha...@t-online.de]

>> Sietse van Zanen wrote:
>> > Ralf Hildebrandt wrote:
>> > > Kelly Jones wrote:
>> > > > To fight spam, I want to validate the address (not necessarily in
>> > > > real-time) of the a given email sender. Is there a Unix tool that
>> > > > does this?
>> > >
>> > > Postfix has exactly this built in. It's the
>> > > "reject_unverified_sender" restriction.
>> >
>> > Yes, but you don't always want to reject such mails. NDR's,
>> > automated mails etc are often send from empty or non-existent e-mail
>> > addresses.
>> 
>> Any legitimate email will have a valid sender address.  That includes
>> DSNs and automated messages.  Within a small network it may be okay to
>> use an invalid sending address locally.  But for any mail across a wan
>> the sending address must be able to receive bounces.
>> 
>> So yes I do want to always reject mail with invalid sending addresses.
>> 

Hi Bob,

what happens if I put one such thing on my mailserver too and want to send you a mail?
My outgoing MX starts a smtp connection, and then, at RCPT TO, your system
starts a smtp dialogue with my incoming MX. Unless the machines are tightly coupled,
my incoming MX does not expect to get a verification probe - it will believe that you try
to send me some mail, and probe your machine.
This looks like a source of infinite loops :(
In fact, I usually configure servers to accept X sessions at most, and a smaller Y sessions
from the same IP. So if your server does not have a session limit (or has set it to a higher
value than mine) verification would ultimately fail when there are Y concurrent probes
going on

Of course the problem does not exist if an implementation chooses to accept the smtp data,
and then reject at the end of data

Wolfgang Hamann

Re: Tool for validating sender address as spam-fighting technique?

[John Rudd <jr...@ucsc.edu>]

Matt Hampton wrote:
> Wolfgang
> 
>> what happens if I put one such thing on my mailserver too and want to 
>> send you a mail?
>> My outgoing MX starts a smtp connection, and then, at RCPT TO, your 
>> system
>> starts a smtp dialogue with my incoming MX. Unless the machines are 
>> tightly coupled,
>> my incoming MX does not expect to get a verification probe - it will 
>> believe that you try
>> to send me some mail, and probe your machine.
>> This looks like a source of infinite loops :(
> 
> All of the milters are configured with an address verfication address. 
> This is used as the sender when verifying addresses and so when the 
> address is seen in an incoming session it is allowed through.
> 
> I use addresstest@domain.com..


The correct answer is:

When trying to validate a sender, and you do a call-back probe (as this 
technique is already in use by places like verizon, and has been for 
years), you should use <> as your sender address.  The other side knows 
it's valid immediately (because RFCs say so), and thus the other side 
doesn't need to try to do a call-back on you, creating potential for an 
infinite loop.

Re: Tool for validating sender address as spam-fighting technique?

[Matt Hampton <ma...@coders.co.uk>]

Wolfgang

> what happens if I put one such thing on my mailserver too and want to send you a mail?
> My outgoing MX starts a smtp connection, and then, at RCPT TO, your system
> starts a smtp dialogue with my incoming MX. Unless the machines are tightly coupled,
> my incoming MX does not expect to get a verification probe - it will believe that you try
> to send me some mail, and probe your machine.
> This looks like a source of infinite loops :(

All of the milters are configured with an address verfication address. 
This is used as the sender when verifying addresses and so when the 
address is seen in an incoming session it is allowed through.

I use addresstest@domain.com..

matt