You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2007/03/29 21:22:49 UTC
Sender Address Verification is NOT abouse and very effective
John D. Hardin wrote:
> Can anyone recommend a non-abusive way to validate email addresses?
>
Yes - Sender Address Verification (SAV) works very well. It is not
abusive. Especially the way Exim implements it.
Re: Sender Address Verification is NOT abouse and very effective
Posted by Marc Perkel <ma...@perkel.com>.
Duane Hill wrote:
> On Thu, 29 Mar 2007, Marc Perkel wrote:
>
>>
>> John D. Hardin wrote:
>>> Can anyone recommend a non-abusive way to validate email addresses?
>>>
>>
>> Yes - Sender Address Verification (SAV) works very well. It is not
>> abusive. Especially the way Exim implements it.
>
> That could very well be in your scenario. In my scenario, I deal with
> over 4.5 million messages per day and a SAV against MSN, AOL or the
> such would get my servers blocked within 24 hours. I use to use SAV
> until I started getting blocked by Hotmail. Within 24 hours, our
> server had attempted verification on over 24,000 messages.
>
> Not to throw the message way off topic. What other special way does
> Exim do to verify? Ultimately you would have to make a server
> connection to verify. Otherwise you would be playing the guessing game.
>
Exim caches the results of verify calls for several hours so repeat
calls are kept local. It also does a trick to determine if the host will
take any address and if it determines the host will take any address it
doesn't do a callout again.
Another things I do is I verify the recipient before I verify the
sender. Generally spammers are doing a dictionary attack using both fake
senders and recipients. So if the recipient doesn't exist then I don't
verify the sender.
I also do all my blacklist tests first and many other tests to eliminate
spam so sender verification is way down the line. That way I do avoid
unnecessary callouts to other servers.
So - it works very well for me. The only complaints I get are from the
SAV Nazis who hide themselves from public scrutiny.
Re: Sender Address Verification is NOT abouse and very effective
Posted by Rick Macdougall <ri...@ummm-beer.com>.
Marc Perkel wrote:
>
>> I am not necessarily speaking of the context of a MTA.
>>
>> Example pulled out of thin air: if you had a corpus and you wanted to
>> check the addresses within it, what would be a "polite" way to do so?
>> Just open an SMTP connection and see what the far end says to "RCPT
>> TO:", but put a tight rate limit on it?
>>
>>
>
> Yes - that would work. Don't kit any one server faster than once a second.
And make a new connection per check. My server will start replying
invalid address to everything once 5 invalid attempts with the same
connection are made.
Just FYI.
Regards,
Rick
Re: Sender Address Verification is NOT abouse and very effective
Posted by Marc Perkel <ma...@perkel.com>.
John D. Hardin wrote:
> On Thu, 29 Mar 2007, Marc Perkel wrote:
>
>
>> John D. Hardin wrote:
>>
>>> Can anyone recommend a non-abusive way to validate email addresses?
>>>
>> Yes - Sender Address Verification (SAV) works very well. It is not
>> abusive. Especially the way Exim implements it.
>>
>
> I am not necessarily speaking of the context of a MTA.
>
> Example pulled out of thin air: if you had a corpus and you wanted to
> check the addresses within it, what would be a "polite" way to do so?
> Just open an SMTP connection and see what the far end says to "RCPT
> TO:", but put a tight rate limit on it?
>
>
Yes - that would work. Don't kit any one server faster than once a second.
RE: Sender Address Verification is NOT abouse and very effective
Posted by Rick Cooper <rc...@dwford.com>.
> -----Original Message-----
> From: Marc Perkel [mailto:marc@perkel.com]
> Sent: Friday, March 30, 2007 11:42 AM
> To: users@spamassassin.apache.org
> Subject: Re: Sender Address Verification is NOT abouse and
> very effective
>
>
>
> John D. Hardin wrote:
> > Is there a non-abusive way to automatically verify an email
> address is
> > valid? Verification does not need to occur in real-time; large delay
> > is acceptable. It is not intended as any sort of attack/abuse/spam
> > prevention or mitigation strategy. A given address will not
> be checked
> > more than once. There may not be any email message headers
> associated
> > with the address.
> >
> > If this is drifting off topic, let's kill it and I'll find
> someplace
> > more appropriate.
> >
> >
>
> Yes - there is. I'm using Exim and if you aren't using Exim you might
> not be able to do the things I can do. It's SAV done right.
>
> Exim provides caching so it minimizes real callouts. Youalso
> have to do
> things in the right order. You do the greylisting/blacklisting first.
> You then exclude all the spammer only tricks like impersonating your
> domain(s) and other stuff that only spammers do. You then verify the
> recipient exists first. After doing all this the sender verification
> traffic is minimal.
>
> Now if someone wants to invent a better way that would be great. I'd
> like to see some sort of DNS based way to do this but until there's
> something better SAV is it.
>
I agree with the DNS based method.
Perhaps a txt record that states a given IP is allowed to run mail
services on the
owner of that Ips DNS
Next verify via a forward query of the domain that IP is allowed to
*send* mail for that
Domain.
I am not talking about defining dynamic, etc I am saying a query on the IP
returns a yes no as far as that IP having the right (AUP) to operate an
email service. Then check the domain part to see if that IP is allowed to
send mail on behalf of that domain. Like a ms (mail sender) records instead
of a mx record.
Next I have thought it would be nice in today's world of "bot" that a
service exist explicitly to honor address verification requests that has
nothing to do with the SMTP server. It would have to be light and fast,
perhaps UDP in the same light as DNS. You would send the request to the
service designated by the domain's DNS, this would allow the same types of
round robin or load balancing as DNS servers enjoy. That server would hold
all valid addresses (include aliases) that domain would like to allow to
send mail.
It would return a simple 0,1,2 type of response for yes, no, defer. I would
think that were the backend for such a service to be CDB, the load would be
as light, perhaps less, than a DNS service. Smaller mail systems could
easily run it on the same host as the mail service it's self, larger would
run separate servers or share a DNS server. This type of service could also
enjoy the same geographical dispersement as large DNS systems do as well. A
CDB database wouldn't require much in terms of memory or physical resource,
they are extremely fast and efficient.
Example: calling host mail.this.com [10.10.10.10] mail from someone@this.com
1. DNS request type ms 10.10.10.10
a. response no - reject
b. response yes
1. DNS request type mailok this.com
a. response no - reject
b. response yes
1. DNS request type mauthservice
mail.this.com
a. response none - defer
b response 10.10.10.11
1. CheckSender
10.10.10.11 someone@this.com
a. response
0 - accept
b. response
1 - deny
c. response
2 - defer
Under such a scenario the service at 10.10.10.11 could handle requests for
this.com, that.com or there.com. What ever is setup for those domains, so
handle virtuals or hosting services would be no big deal. The point is when
the whole SMTP process was originally designed no one anticipated the
current state of the internet much less the concept of someone forging
addresses, domains, etc. And in terms of resources just look at what is
currently wasted to trying to determine spam/ham. While I am sure the above
is not perfect it would require an ISP to be party to mass spamming, it
would certainly provide a clear chain of responsibility and make enforcement
of anti-spam laws much easier. And, please don't bring up dynamic host
blocking. I am currently awaiting SORBS to de-list a mail server that has
never been dynamic but is part of a DSL listing. That host had symmetrical
DNS for nearly 3 weeks prior to turning on the mail service and was/is still
listed (although I got an email saying they were delisting it soon). In such
a scenario as above once the ISP added the proper ptr record and the mail ok
record I would have been fine.
Just a looong opinion for a Sunday morning.
Rick
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: Sender Address Verification is NOT abouse and very effective
Posted by Marc Perkel <ma...@perkel.com>.
John D. Hardin wrote:
> Is there a non-abusive way to automatically verify an email address is
> valid? Verification does not need to occur in real-time; large delay
> is acceptable. It is not intended as any sort of attack/abuse/spam
> prevention or mitigation strategy. A given address will not be checked
> more than once. There may not be any email message headers associated
> with the address.
>
> If this is drifting off topic, let's kill it and I'll find someplace
> more appropriate.
>
>
Yes - there is. I'm using Exim and if you aren't using Exim you might
not be able to do the things I can do. It's SAV done right.
Exim provides caching so it minimizes real callouts. Youalso have to do
things in the right order. You do the greylisting/blacklisting first.
You then exclude all the spammer only tricks like impersonating your
domain(s) and other stuff that only spammers do. You then verify the
recipient exists first. After doing all this the sender verification
traffic is minimal.
Now if someone wants to invent a better way that would be great. I'd
like to see some sort of DNS based way to do this but until there's
something better SAV is it.
Re: Sender Address Verification is NOT abouse and very effective
Posted by "John D. Hardin" <jh...@impsec.org>.
On Thu, 29 Mar 2007, John Rudd wrote:
> You can't control how many other people are doing the same probe
> at the same time. It might seem like batching from a corpus makes
> it better than doing live probes, but the fact is that you don't
> know, and can't know. All you can control is "am I going to probe
> for TMDA/SAV or not".
>
> In a private message, John Hardin suggested that putting TDMA and
> SAV into the same lump isn't fair. I wont duplicate his email
> here (since that would be rude),
I now kinda regret doing that because I didn't want to take this too
far off-topic, but it does seem to be of interest. John, if you want
to reply to the list that's fine by me.
John's point is valid; you can't exclude the behavior of others when
calculating the impact of behavior you control.
> If you want to deal with eliminating forgeries, require DK/DKIM.
> Any resources that impacts upon the forged sender (obtaining their
> public key) is at least consensual on their part (because they
> have offered their public key).
The context of my question is not necessarily preventing forgeries,
and is not necessarily anti-spam. I'll restate my question with some
of the unspoken assumptions made clear:
Is there a non-abusive way to automatically verify an email address is
valid? Verification does not need to occur in real-time; large delay
is acceptable. It is not intended as any sort of attack/abuse/spam
prevention or mitigation strategy. A given address will not be checked
more than once. There may not be any email message headers associated
with the address.
If this is drifting off topic, let's kill it and I'll find someplace
more appropriate.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
So Microsoft's invented the ASCII equivalent to ugly ink spots that
appear on your letter when your pen is malfunctioning.
-- Greg Andrews, about Microsoft's way to encode apostrophes
-----------------------------------------------------------------------
14 days until Thomas Jefferson's 264th Birthday
Re: Sender Address Verification is NOT abouse and very effective
Posted by John Rudd <jr...@ucsc.edu>.
Marc Perkel wrote:
>
>
> John Rudd wrote:
>> John D. Hardin wrote:
>>> On Thu, 29 Mar 2007, Marc Perkel wrote:
>>>
>>>> John D. Hardin wrote:
>>>>> Can anyone recommend a non-abusive way to validate email addresses?
>>>> Yes - Sender Address Verification (SAV) works very well. It is not
>>>> abusive. Especially the way Exim implements it.
>>>
>>> I am not necessarily speaking of the context of a MTA.
>>>
>>> Example pulled out of thin air: if you had a corpus and you wanted to
>>> check the addresses within it, what would be a "polite" way to do so?
>>> Just open an SMTP connection and see what the far end says to "RCPT
>>> TO:", but put a tight rate limit on it?
>>
>> If someone was doing that to my server, I would consider it an attack,
>> and blacklist them.
>>
>> There is no polite way to do it. It's not polite to take advantage of
>> someone else's resources without their permission. That's exactly
>> what SAV does.
>>
>> SAV is the same thing as TDMA/Challege-Response, only the challenge is
>> to the machine instead of the human. Most of the same arguments apply.
>>
>
> The question was about a corpus of email. I assume that it means that
> the email is from multiple sources. So I doubt that someone running it
> would even be detectable buy anyone else.
You can't control how many other people are doing the same probe at the
same time. It might seem like batching from a corpus makes it better
than doing live probes, but the fact is that you don't know, and can't
know. All you can control is "am I going to probe for TMDA/SAV or not".
In a private message, John Hardin suggested that putting TDMA and SAV
into the same lump isn't fair. I wont duplicate his email here (since
that would be rude), but I will put my response here:
Consider the most common anti-TDMA argument:
Situation: One real sender address is forged on a couple million spam
messages. A significant portion of the planet uses TDMA.
TDMA result: innocent forged sender's inbox gets targeted with 100's of
thousands to millions of challenges. Their mail server gets flooded,
and their inbox get flooded.
SAV result: innocent forged sender's server gets targeted with 100's of
thousands to millions of challenges. Server gets flooded.
In both cases, you're using the resources of someone else, who has not
consented to be part of your anti-spam solution, for making your
anti-spam decisions. That is absolutely rude, and possibly abusive and
destructive, whether you're doing it live or in batches from a corpus.
The ONLY way in which SAV is better than TDMA is that it eliminates the
innocent end user from the problem. However, it still involves the
innocent mail server (and the innocent sysadmin, etc.).
If you want to deal with eliminating forgeries, require DK/DKIM. Any
resources that impacts upon the forged sender (obtaining their public
key) is at least consensual on their part (because they have offered
their public key).
RE: Sender Address Verification is NOT abouse and very effective
Posted by R Lists06 <li...@abbacomm.net>.
>
> +1
>
> If Marc is bouncing spams, even when domains who refuse to play the SAV
> game are involved, he's being even more abusive than I had thought.
>
>
> Daryl
I'm confused, Rick said he was rejecting in the smtp session above a certain
score too...
Bounce, reject... etc...
Are you talking about the code in the rejection?
Why did I miss?
Please clarify as you can still do an SMTP rejection after SA scoring
- rh
--
Robert - Abba Communications
http://www.abbacomm.net/
Re: Sender Address Verification is NOT abouse and very effective
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Rick Macdougall wrote:
> Marc Perkel wrote:
>> The reason you get so many bounces is that your servers are SAV
>> hostile. If someone spoofs your domain then you're going to get SAV
>> connection if you allow it or bounce connections if you don't. And the
>> number of bounces is going to be a lot higher than the SAV requests
>> because spammers like domains where the recipient host gives no
>> information about if the account is valid or not.
>>
>>
> Uhhh, no. We don't bounce. Anyone who bounces is an asshat.
+1
If Marc is bouncing spams, even when domains who refuse to play the SAV
game are involved, he's being even more abusive than I had thought.
Daryl
Re: Sender Address Verification is NOT abouse and very effective
Posted by Rick Macdougall <ri...@ummm-beer.com>.
Marc Perkel wrote:
>
>
> Rick Macdougall wrote:
>>
>>
>> Same difference to me, you get blocked. My servers are busy enough
>> as it is (just as an example, one incoming SMTP server out of 4 with
>> one client has consistent 80 connections per second, an average 500
>> connections active at any given tine, the majority, over 80%, bounces
>> or SAV checks). So guess what? I'm going to block those servers
>> until they smarten up.
>>
>>
>
> The reason you get so many bounces is that your servers are SAV
> hostile. If someone spoofs your domain then you're going to get SAV
> connection if you allow it or bounce connections if you don't. And the
> number of bounces is going to be a lot higher than the SAV requests
> because spammers like domains where the recipient host gives no
> information about if the account is valid or not.
>
>
Uhhh, no. We don't bounce. Anyone who bounces is an asshat. We reject
551 at the smtp level for spam above a certain score and for user unknown.
We aren't anti-SAV per say, we are anti-usernamechecking, we will return
a "User Unknown" after 5 similar unsuccessful requests during the same
smtp connection.
Think logically about it.
Regards,
Rick
Re: Sender Address Verification is NOT abouse and very effective
Posted by Marc Perkel <ma...@perkel.com>.
Rick Macdougall wrote:
>
>
> Same difference to me, you get blocked. My servers are busy enough as
> it is (just as an example, one incoming SMTP server out of 4 with one
> client has consistent 80 connections per second, an average 500
> connections active at any given tine, the majority, over 80%, bounces
> or SAV checks). So guess what? I'm going to block those servers
> until they smarten up.
>
>
The reason you get so many bounces is that your servers are SAV hostile.
If someone spoofs your domain then you're going to get SAV connection if
you allow it or bounce connections if you don't. And the number of
bounces is going to be a lot higher than the SAV requests because
spammers like domains where the recipient host gives no information
about if the account is valid or not.
Re: Sender Address Verification is NOT abouse and very effective
Posted by Matthias Häker <mh...@its-h.de>.
Hi Folks
i read this Email from this List now for some Month and it looks to me
that Marc Perkel was with this threat again successful to start a
discussion who have nothing to do with SA , correct me if i am wrong but
this religios War about SAV or not SAV what has it all to do with SA ??
Matthias
Re: Sender Address Verification is NOT abouse and very effective
Posted by Rick Macdougall <ri...@ummm-beer.com>.
John Rudd wrote:
> Marc Perkel wrote:
>> Derek Harding wrote:
>>> Marc Perkel wrote:
>>>> I don't understand why you think SAV is a louse anti-forgery tool.
>>>> It forces spammers to have to find real email addresses to forge.
>>> So here's a little thought experiment for you.
>>>
>>> As you know more and more spam is sent by botnets from compromised
>>> machines. Those bots know a range of valid addresses because they're
>>> pulling them out of addressbooks on the local machines (they're also
>>> sending to those same addresses btw).
>>
>> So - let's say you don't use SAV. You accept the message not knowing
>> that it's from a fake address. Then you have to spam filter it. If
>> if fails, it creates a bounce.
>
> No. You do your spam filtering during the SMTP session, using a
> milter or something similar. If it scores as spam, then you reject it
> during SMTP.
>
> So, no, it doesn't create a bounce. Only an idiot would bounce a
> message for being spam.
>
Or if you are using something that doesn't easily support prefiltering
then you can deliver with spam markup.
Do not ever bounce! Ever! I can not stress this enough.
blah.
Night folks!
Rick
Re: Sender Address Verification is NOT abouse and very effective
Posted by John Rudd <jr...@ucsc.edu>.
Marc Perkel wrote:
> Derek Harding wrote:
>> Marc Perkel wrote:
>>> I don't understand why you think SAV is a louse anti-forgery tool. It
>>> forces spammers to have to find real email addresses to forge.
>> So here's a little thought experiment for you.
>>
>> As you know more and more spam is sent by botnets from compromised
>> machines. Those bots know a range of valid addresses because they're
>> pulling them out of addressbooks on the local machines (they're also
>> sending to those same addresses btw).
>
> So - let's say you don't use SAV. You accept the message not knowing
> that it's from a fake address. Then you have to spam filter it. If if
> fails, it creates a bounce.
No. You do your spam filtering during the SMTP session, using a milter
or something similar. If it scores as spam, then you reject it during SMTP.
So, no, it doesn't create a bounce. Only an idiot would bounce a
message for being spam.
Re: Sender Address Verification is NOT abouse and very effective
Posted by Marc Perkel <ma...@perkel.com>.
Derek Harding wrote:
> Marc Perkel wrote:
>> I don't understand why you think SAV is a louse anti-forgery tool. It
>> forces spammers to have to find real email addresses to forge.
> So here's a little thought experiment for you.
>
> As you know more and more spam is sent by botnets from compromised
> machines. Those bots know a range of valid addresses because they're
> pulling them out of addressbooks on the local machines (they're also
> sending to those same addresses btw).
>
>
So - let's say you don't use SAV. You accept the message not knowing
that it's from a fake address. Then you have to spam filter it. If if
fails, it creates a bounce. So isn't that bounce going to use up more
cycles than SAV? Yes - many times. And of course a lot of those fake
email will slip through filling up your email boxes with junk that my
system would have filtered. And - you're domain will get spoofed more
than my domain because your server is SAV hostile. So other servers
can't determine if a sender is good or not. Spammers love domains like
what you host.
Re: Sender Address Verification is NOT abouse and very effective
Posted by Rick Macdougall <ri...@ummm-beer.com>.
Marc Perkel wrote:
>>>
>> I maintain various mail servers for ISP's and private companies
>> around the world. Probably 2-3 million users in total. If your
>> server is using SAV against any of our servers in excess of 500 or
>> so invalid recipients per day, you are most likely on our internal
>> blacklist.
>>
>> We don't know if you are using SAV, TMDA or are just a clueless admin
>> who bounces after accepting. Seeing as how we get over a million
>> bounces after accepting from various clueless admins around the globe
>> you might see how were adverse to any type of sender verification.
>>
>> You might welcome it but we can't tell the difference. If you're
>> servers end up on blacklists because of it, don't complain. You made
>> your own bed and now you have to lay in it.
>>
>>
>
> I wouldn't be on your black list unless you manually added me to it.
>
My list is all manual. If you have 500 - 2000 rejects a day and you
look like a regular mail server you aren't listed. If you have more than
that or your have over 500 a day for a few days in a row, you are most
likely listed.
I can't tell the difference between idiot admins who bounce after
accepting and (I want to say idiot here, but I won't, opps, I did)
admins who use TDMA or SAV.
Same difference to me, you get blocked. My servers are busy enough as
it is (just as an example, one incoming SMTP server out of 4 with one
client has consistent 80 connections per second, an average 500
connections active at any given tine, the majority, over 80%, bounces or
SAV checks). So guess what? I'm going to block those servers until
they smarten up.
Train the million+ dummy admins out there not to accept, then bounce and
SAV might work but until then it will get you blocked.
Just my 0.02.
Regards,
Rick
Re: Sender Address Verification is NOT abouse and very effective
Posted by Marc Perkel <ma...@perkel.com>.
Rick Macdougall wrote:
> Marc Perkel wrote:
>>
>>
>> I don't understand why you think SAV is a louse anti-forgery tool. It
>> forces spammers to have to find real email addresses to forge.
>> Domains that I host are rarely spoofed because when other hosts use
>> SAV I welcome that and verify which email addresses are bad and the
>> spam is rejected at connect time. When I use SAV I don't have to run
>> those messages through spam assassin because I already know they are
>> spam. So don't tell me that it doesn't work because I know for a fact
>> that it does.
>>
>> I WANT people to verify against my servers. I WELCOME it because
>> spammers blacklist ME.
>>
>> As to people blacklisting me - I am quite capable of effectively
>> evening the score. Those who black list me are a buch of cowards who
>> hide and create anonymous black lists to try to bully people into
>> what they want us to do. But these people have left a trail that I'm
>> reconstructing and I'm going to out them and it's going to be a very
>> public outing. So I don't just complain when I get blacklisted. I fix
>> the problem.
>>
> I maintain various mail servers for ISP's and private companies around
> the world. Probably 2-3 million users in total. If your server is
> using SAV against any of our servers in excess of 500 or so invalid
> recipients per day, you are most likely on our internal blacklist.
>
> We don't know if you are using SAV, TMDA or are just a clueless admin
> who bounces after accepting. Seeing as how we get over a million
> bounces after accepting from various clueless admins around the globe
> you might see how were adverse to any type of sender verification.
>
> You might welcome it but we can't tell the difference. If you're
> servers end up on blacklists because of it, don't complain. You made
> your own bed and now you have to lay in it.
>
> Regards,
>
> Rick
I wouldn't be on your black list unless you manually added me to it.
Re: Sender Address Verification is NOT abouse and very effective
Posted by Rick Macdougall <ri...@ummm-beer.com>.
Marc Perkel wrote:
>
>
> I don't understand why you think SAV is a louse anti-forgery tool. It
> forces spammers to have to find real email addresses to forge. Domains
> that I host are rarely spoofed because when other hosts use SAV I
> welcome that and verify which email addresses are bad and the spam is
> rejected at connect time. When I use SAV I don't have to run those
> messages through spam assassin because I already know they are spam.
> So don't tell me that it doesn't work because I know for a fact that
> it does.
>
> I WANT people to verify against my servers. I WELCOME it because
> spammers blacklist ME.
>
> As to people blacklisting me - I am quite capable of effectively
> evening the score. Those who black list me are a buch of cowards who
> hide and create anonymous black lists to try to bully people into what
> they want us to do. But these people have left a trail that I'm
> reconstructing and I'm going to out them and it's going to be a very
> public outing. So I don't just complain when I get blacklisted. I fix
> the problem.
>
I maintain various mail servers for ISP's and private companies around
the world. Probably 2-3 million users in total. If your server is
using SAV against any of our servers in excess of 500 or so invalid
recipients per day, you are most likely on our internal blacklist.
We don't know if you are using SAV, TMDA or are just a clueless admin
who bounces after accepting. Seeing as how we get over a million
bounces after accepting from various clueless admins around the globe
you might see how were adverse to any type of sender verification.
You might welcome it but we can't tell the difference. If you're
servers end up on blacklists because of it, don't complain. You made
your own bed and now you have to lay in it.
Regards,
Rick
Re: Sender Address Verification is NOT abouse and very effective
Posted by Randy Smith <pe...@falconsroost.alamosa.co.us>.
On Friday 30 March 2007 02:48, Loren Wilton wrote:
> > While they don't have to pay for delivery in the same sense as snail-mail
> > advertizing, they are bandwidth-limited by the size of the internet.
> > Until others increase the bandwidth for their benefit, they can send only
> > so many spams.So being able to send 2-3 times as many targeted spams with
> > good addresses with the same bandwidth could only be regarded as good for
> > them.
>
> Thought experiment:
>
> Suppose some Internet uber-government mandated that all hosts publish to a
> central server a list of all valid recipient addresses at that host, and
> only valid recipient addresses. Suppose further that it was mandated that
> the list be kept up to no more than 12 hours out of date as changes
> occurred.
>
> Suppose that this was a gigantic server, and to prevent spam all sending
> hosts were mandated to check the list before sending an email to a target
> system, and reject the mail locally if the target address was not on the
> list. Obviously there would be no reason for the sending host to check the
> sender address since it would have to be valid - but mail forwarders would
> have to check both the sending and receiving addresses to be sure that
> neither was forged. Receiving hosts would likewise be mandated to check
> the list and discard the message if the sender did not appear on the list,
> or be subject to massive fines.
>
> Suppose that to reduce resource usage senders and receivers were permitted
> to daily download the entire address list from this central server, so that
> they could do only a single uber-zone transfer rather than possibly
> hundreds of millions of individual requests. Obviously any sending or
> receiving machine would have to be able to do this.
I was thinking about a similar idea but one that's a little more distributed
and doesn't require sending all one's users' information to a third party.
My musings are posted at
http://perlstalker.blogspot.com/2007/03/mail-server-registries-and-foreign.html.
In a nutshell, I was thinking of basing a system off of OpenID and, possibly,
PGP to authenticate and create a web of trust around servers and/or users.
[snip]
--
Randy Smith
http://perlstalker.amigo.net/
"Work is the miracle by which talent is brought to the surface and
dreams become reality." - Gordon B. Hinckley
Re: Things I would change to stop spam
Posted by JamesDR <ja...@trusswood.net>.
Magnus Holmgren wrote:
> On Friday 30 March 2007 15:39, Marc Perkel wrote:
>> So - what I propose is a addition to the IMAP/POP protocols that allow
>> email to be sent out over IMAP/POP and eliminate SMTP for the end user.
>
> NO, NO, NO! What is it, the tenth time you bring up this theme? Every time
> it's explained to you that it won't accomplish anything that can't already be
> accomplished.
>
There is nothing really stopping him from implementing this himself.
Money drives change. I welcome Marc to implement this for his business
and see what happens... I'm curious as to the outcome on both spam and
his customers :-D
--
Thanks,
James
Re: Things I would change to stop spam
Posted by Magnus Holmgren <ho...@lysator.liu.se>.
On Friday 30 March 2007 15:39, Marc Perkel wrote:
> So - what I propose is a addition to the IMAP/POP protocols that allow
> email to be sent out over IMAP/POP and eliminate SMTP for the end user.
NO, NO, NO! What is it, the tenth time you bring up this theme? Every time
it's explained to you that it won't accomplish anything that can't already be
accomplished.
--
Magnus Holmgren holmgren@lysator.liu.se
(No Cc of list mail needed, thanks)
Re: Things I would change to stop spam
Posted by Duane Hill <d....@yournetplus.com>.
On Fri, 30 Mar 2007, Marc Perkel wrote:
> So - what I propose is a addition to the IMAP/POP protocols that allow email
> to be sent out over IMAP/POP and eliminate SMTP for the end user. The
> outgoing email message would be sent over the same authenticated connection
> that you establish to get email and the IMAP/POP server would then hand the
> message off to the SMTP server which would then send it to the receiving
> server.
Sorry for keeping this thread alive. However, FWIW:
>From http://en.wikipedia.org/wiki/Post_Office_Protocol it says:
There are extensions to POP3 that allow some clients to transmit
outbound mail via POP3 - these are known as "XTND XMIT" extensions.
The Qualcomm qpopper and CommuniGate Pro servers and Eudora clients
are examples of systems that optionally utilize the XTND XMIT methods
of authenticated client-to-server e-mail transmission.
And XTND/XMIT are outlined here:
http://www.ietf.org/rfc/rfc1082.txt?number=1082
Re: Things I would change to stop spam
Posted by JamesDR <ja...@trusswood.net>.
Marc Perkel wrote:
> There is a huge amount of traffic on the internet from bots that are
> sending email to and from email addresses that don't exist and if that
> could be eliminated then everyone would be ahead. I have a few ideas
> myself on some evolutionary changes in the way mail is delivered that
> would basically lock out spam bots from the system.
>
> One of the problems with SMTP is that the user to server protocol is the
> same as the server to server protocol. In the old dats everyone was
> running on a unix shell account running Pine. But then there came to be
> remote workstations so POP and IMAP were added to read email, but
> nothing changed on the outgoing email.
>
> So - what I propose is a addition to the IMAP/POP protocols that allow
> email to be sent out over IMAP/POP and eliminate SMTP for the end user.
> The outgoing email message would be sent over the same authenticated
> connection that you establish to get email and the IMAP/POP server would
> then hand the message off to the SMTP server which would then send it to
> the receiving server.
>
> With a system like this you would eliminate half of the email setup in
> that once you configure to read email then you are already configured to
> send email. ISPs can close port 25 to end users by default and spam bots
> would be isolated. No application would be able to send email unless it
> knew the user name and password. And the virus wouldn't know that. With
> that kind of isolation viruses wouldn't be able to spread and spam bots
> go away.
Currently, Yes. Future, no.
Currently yes because there are few bots/viruses actively checking
username/password pairs. If it were implemented that this was mandated
all a botmaster/virus writer would need to do is create a transparent
proxy that slurps this info from the TCP/IP stream, then send this data
back to the mother ship and have all the other bots on the same subnet
use a series of user names/passwords to send the emails. With the
gigantic listing of valid E-Mail addresses this makes it all to easy to
grab a list of the local domain e-mail addresses for this subnet and
start firing away with legit looking mail (at least the e-mail wouldn't
be forged and it would be authenticated.) If we make the auth tokens
time based, no problem for the spammer/virus writer. Wait until a user
sends or receives a mail and send out X number of mails (or just start
sending till the remove server says "Hey! No more you!".) If the
gigantic list were query based (didn't hand out e-mail addresses, but
said yay nay to a presented e-mail address) then it still benefits the
spamer as to verify their spam lists against their sending lists. You
have to think like a spammer... They will always be with us, so if you
put up a wall, they will build a ladder just tall enough to reach over
the top and pour spam on you ;-)
I do see SAV hurting spammers more than helping in this instance and
right now. SAV, if used properly, can be light weight. Server Y contacts
server X and says "hey, does this user exist" (with current standard
smtp calls) Server X says "no" server Y either bounces a message back,
or discards.
GrayListing works well now.. but for how long? Short term, yea SAV and
other schemes will work, but then spammers just use legit email
addresses slurped from the TCP/IP stream.
My 2cents on the matter.
--
Thanks,
James
Re: Things I would change to stop spam
Posted by Benny Pedersen <me...@junc.org>.
On Fri, March 30, 2007 16:39, Matt wrote:
>> Re: Things I would change to stop spam
> Charge 0.1 penny a message. ;<)
hashcash :-)
--
This message was sent using 100% recycled spam mails.
Re: Things I would change to stop spam
Posted by Matt <lm...@gmail.com>.
>>Re: Things I would change to stop spam
Charge 0.1 penny a message. ;<)
Matt
Re: Things I would change to stop spam
Posted by "Chr. v. Stuckrad" <st...@mi.fu-berlin.de>.
On Fri, 30 Mar 2007, Marc Perkel wrote:
> send email. ISPs can close port 25 to end users by default and spam bots
> would be isolated. No application would be able to send email unless it
> knew the user name and password. And the virus wouldn't know that. With
> that kind of isolation viruses wouldn't be able to spread and spam bots
> go away.
1) some spam bots would hide as/near/in real MTAs (no difference to now)
- so every MTA would have to know the real ones in advance
or verify them cryptographically somehow (but as long as
everybody can buy Certificates, that wouldn't help also).
2) other (trojan) spam-bots would simply use userid and password
of (mail)connections of the host they live on. So the user
would be personally held responsible for the spam they send,
in case of paying the mail, the user would even have to pay
pay for the spam his (trojan)pc had 'generated'.
Both would be no change to 'spamming as martketing', only putting
a bit more pressure on the evolution of spambots, and killing
thousands of legitimate email accounts by injecting spam into
their mailstream.
May be, every account gone is a bit less spam, but at the end
of THAT way 'Email' will be gone too :-)
So I think, it's not that simple.
Stucki
--
Christoph von Stuckrad * * |nickname |<st...@mi.fu-berlin.de> \
Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-5 57 78|
Mathematik & Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 66 00|
Arnimallee 6 / 14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75 454/
Things I would change to stop spam
Posted by Marc Perkel <ma...@perkel.com>.
Loren Wilton wrote:
>
> Thought experiment:
>
> Suppose some Internet uber-government mandated that all hosts publish
> to a central server a list of all valid recipient addresses at that
> host, and only valid recipient addresses. Suppose further that it was
> mandated that the list be kept up to no more than 12 hours out of date
> as changes occurred.
>
> Suppose that this was a gigantic server, and to prevent spam all
> sending hosts were mandated to check the list before sending an email
> to a target system, and reject the mail locally if the target address
> was not on the list. Obviously there would be no reason for the
> sending host to check the sender address since it would have to be
> valid - but mail forwarders would have to check both the sending and
> receiving addresses to be sure that neither was forged. Receiving
> hosts would likewise be mandated to check the list and discard the
> message if the sender did not appear on the list, or be subject to
> massive fines.
>
> Suppose that to reduce resource usage senders and receivers were
> permitted to daily download the entire address list from this central
> server, so that they could do only a single uber-zone transfer rather
> than possibly hundreds of millions of individual requests. Obviously
> any sending or receiving machine would have to be able to do this.
>
> Clearly this would completely eliminate spam, right? After all, it
> could not be sent to or from an invalid address, as the host doing
> that would be subject to massive govenrnment fines, and the mail would
> be rejected at the target anyway.
>
> Can anyone suggest to me why such an obviously correct government
> implementation might actually HELP spammers?
>
> For extra credit: can anyone describe how this scheme would differ
> from a "perfect and universal" SAV implementation used to prevent
> spamming?
>
>
There is a huge amount of traffic on the internet from bots that are
sending email to and from email addresses that don't exist and if that
could be eliminated then everyone would be ahead. I have a few ideas
myself on some evolutionary changes in the way mail is delivered that
would basically lock out spam bots from the system.
One of the problems with SMTP is that the user to server protocol is the
same as the server to server protocol. In the old dats everyone was
running on a unix shell account running Pine. But then there came to be
remote workstations so POP and IMAP were added to read email, but
nothing changed on the outgoing email.
So - what I propose is a addition to the IMAP/POP protocols that allow
email to be sent out over IMAP/POP and eliminate SMTP for the end user.
The outgoing email message would be sent over the same authenticated
connection that you establish to get email and the IMAP/POP server would
then hand the message off to the SMTP server which would then send it to
the receiving server.
With a system like this you would eliminate half of the email setup in
that once you configure to read email then you are already configured to
send email. ISPs can close port 25 to end users by default and spam bots
would be isolated. No application would be able to send email unless it
knew the user name and password. And the virus wouldn't know that. With
that kind of isolation viruses wouldn't be able to spread and spam bots
go away.
Re: Sender Address Verification is NOT abouse and very effective
Posted by Loren Wilton <lw...@earthlink.net>.
> While they don't have to pay for delivery in the same sense as snail-mail
> advertizing, they are bandwidth-limited by the size of the internet.
> Until others increase the bandwidth for their benefit, they can send only
> so many spams.So being able to send 2-3 times as many targeted spams with
> good addresses with the same bandwidth could only be regarded as good for
> them.
Thought experiment:
Suppose some Internet uber-government mandated that all hosts publish to a
central server a list of all valid recipient addresses at that host, and
only valid recipient addresses. Suppose further that it was mandated that
the list be kept up to no more than 12 hours out of date as changes
occurred.
Suppose that this was a gigantic server, and to prevent spam all sending
hosts were mandated to check the list before sending an email to a target
system, and reject the mail locally if the target address was not on the
list. Obviously there would be no reason for the sending host to check the
sender address since it would have to be valid - but mail forwarders would
have to check both the sending and receiving addresses to be sure that
neither was forged. Receiving hosts would likewise be mandated to check the
list and discard the message if the sender did not appear on the list, or be
subject to massive fines.
Suppose that to reduce resource usage senders and receivers were permitted
to daily download the entire address list from this central server, so that
they could do only a single uber-zone transfer rather than possibly hundreds
of millions of individual requests. Obviously any sending or receiving
machine would have to be able to do this.
Clearly this would completely eliminate spam, right? After all, it could
not be sent to or from an invalid address, as the host doing that would be
subject to massive govenrnment fines, and the mail would be rejected at the
target anyway.
Can anyone suggest to me why such an obviously correct government
implementation might actually HELP spammers?
For extra credit: can anyone describe how this scheme would differ from a
"perfect and universal" SAV implementation used to prevent spamming?
Loren
Re: Sender Address Verification is NOT abouse and very effective
Posted by Loren Wilton <lw...@earthlink.net>.
> I don't understand why you think SAV is a louse anti-forgery tool. It
> forces spammers to have to find real email addresses to forge. Domains
Sounds to me like a really exciting development for spammers. They would
actually have a way to reliably listwash their lists of invalid addresses,
and end up with only valid target addresses.
While it may seem that with botnets they have near-infinite sending
resources, really the sending resources are limited by the overall internet
bandwidth. Probably 70% or more of the sent emails are wasted on fake or
discontinued addresses, and they have no way to know this. Assuming that
80% of the internet traffic is spam, 56% of the total internet traffic, and
70% of the spam traffic, is completely wasted. If the spammers had reliable
lists of only the valid recipients, then they could better than double their
targeted spam delivery rate. It is the same argument as used for any other
targeted marketing.
While they don't have to pay for delivery in the same sense as snail-mail
advertizing, they are bandwidth-limited by the size of the internet. Until
others increase the bandwidth for their benefit, they can send only so many
spams.So being able to send 2-3 times as many targeted spams with good
addresses with the same bandwidth could only be regarded as good for them.
Loren
Re: Sender Address Verification is NOT abouse and very effective
Posted by Derek Harding <de...@innovyx.com>.
Marc Perkel wrote:
> I don't understand why you think SAV is a louse anti-forgery tool. It
> forces spammers to have to find real email addresses to forge.
So here's a little thought experiment for you.
As you know more and more spam is sent by botnets from compromised
machines. Those bots know a range of valid addresses because they're
pulling them out of addressbooks on the local machines (they're also
sending to those same addresses btw).
Consider that many sites are using SAV and a botnet starts spewing
billions of messages. Consider now that you're the operator a
significantly sized mail system.
At this point you start getting hit from all around the world for
inordinate numbers of SAV requests all for valid emails. How hard you
get hit depends on your size & your misfortune. All that spam gets
delivered at the far end for as long as your servers can continue to
deal with the massive load of SAV requests and tell the other sites that
the spam isn't spam.
Note that these requests are totally unwarranted -- they have nothing
whatsoever to do with you except that some bot somewhere is using an
address at your site.
If SAV gets widely adopted bots will very easily get around it and it
just becomes an abusive overhead.
This is of course totally ignoring all the situations under which valid
email gets bounced because a SAV failed (I just happen to have
experienced several of those recently).
> Domains that I host are rarely spoofed because when other hosts use
> SAV I welcome that and verify which email addresses are bad and the
> spam is rejected at connect time. When I use SAV I don't have to run
> those messages through spam assassin because I already know they are
> spam. So don't tell me that it doesn't work because I know for a fact
> that it does.
It does now but only because it is so rarely used. And you can avoid SA
right up until spammers start using real addresses at which point you're
totally hosed.
> I WANT people to verify against my servers. I WELCOME it because
> spammers blacklist ME.
Right up until your servers die under the load of other systems SAVing
you. :)
> As to people blacklisting me - I am quite capable of effectively
> evening the score. Those who black list me are a buch of cowards who
> hide and create anonymous black lists to try to bully people into what
> they want us to do. But these people have left a trail that I'm
> reconstructing and I'm going to out them and it's going to be a very
> public outing. So I don't just complain when I get blacklisted. I fix
> the problem.
Or they're forward thinking people who can see the future of SAV and
realize that ultimately it's just abuse.
A final thought. There is only one large ISP that uses SAV and they've
recently decided to stop doing so. I wonder why that'd be if it's as
good as you say?
Derek
Re: Sender Address Verification is NOT abouse and very effective
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Marc Perkel wrote:
>
>
> Daryl C. W. O'Shea wrote:
>> SAV is a lousy anti-forgery mechanism, primarily because it isn't an
>> anti-forgery mechanism. At best it's a "somebody might legitimately
>> use this address but I have no idea if it's being forged in this
>> instance" mechanism. SAV doesn't make spammers fail, it merely
>> requires them to use a valid address, and guess what, they've got
>> billions of valid addresses at their disposal.
> I don't understand why you think SAV is a louse anti-forgery tool.
I guess you missed the second half of that sentence then. SAV cannot
tell you that an address was not forged. At best it can tell you that
the address doesn't exist and it probably was sent by a third party. If
you want to call this a forgery (how you forge something that doesn't
exist to begin with, I'm not sure) go for it.
> It forces spammers to have to find real email addresses to forge.
Forcing spammers to forge an address is considered anti-forgery? Now
I'm confused.
> Domains
> that I host are rarely spoofed because when other hosts use SAV I
> welcome that and verify which email addresses are bad and the spam is
> rejected at connect time. When I use SAV I don't have to run those
> messages through spam assassin because I already know they are spam. So
> don't tell me that it doesn't work because I know for a fact that it does.
OK, I won't tell you it doesn't work, and I didn't before either. I'm
simple suggesting that it's abusive and selfish.
> I WANT people to verify against my servers. I WELCOME it because
> spammers blacklist ME.
>
> As to people blacklisting me - I am quite capable of effectively evening
> the score. Those who black list me are a buch of cowards who hide and
> create anonymous black lists to try to bully people into what they want
> us to do. But these people have left a trail that I'm reconstructing and
> I'm going to out them and it's going to be a very public outing. So I
> don't just complain when I get blacklisted. I fix the problem.
If you want to waste your time on that go for it. I'd be really
surprised if you aren't currently, or have in the past, you yourself
used blacklists operated by "anonymous cowards" though.
Daryl
Re: Sender Address Verification is NOT abouse and very effective
Posted by Marc Perkel <ma...@perkel.com>.
Daryl C. W. O'Shea wrote:
> Marc Perkel wrote:
>
>> I want people to use sender address verification against my servers
>> for the domains I host because if someone is spoofing one of my
>> domains I want it to fail. I welcome it. Because when domains do
>> sender address verification then it makes spammers fail. And if
>> spammers fail they will use someone else's domain - someone who
>> refuses to use SAV. Is if theirs anything that causes collateral
>> damage it's the face that my domains are less spammer friendly that
>> yours are so they will spoof your domains rather than mine.
>
> That's just silly, and as a provider of an anti-spam service you
> should know that.
>
> SAV is a lousy anti-forgery mechanism, primarily because it isn't an
> anti-forgery mechanism. At best it's a "somebody might legitimately
> use this address but I have no idea if it's being forged in this
> instance" mechanism. SAV doesn't make spammers fail, it merely
> requires them to use a valid address, and guess what, they've got
> billions of valid addresses at their disposal.
>
> If you're concerned about, and want to prevent, your domains being
> abused then sign your mail or use another mechanism that allows all
> involved parties to agree upon a mechanism that requires more than DNS
> queries against an unknown/unwilling party.
>
> If you wish to continue using SAV, and going by past statements of "it
> works for my customers so I'm going to continue to do it" I assume you
> will continue, then *please* stop complaining here every time you get
> blacklisted. If you must, though, perhaps SPAM-L would be a more
> appropriate venue.
>
>
I don't understand why you think SAV is a louse anti-forgery tool. It
forces spammers to have to find real email addresses to forge. Domains
that I host are rarely spoofed because when other hosts use SAV I
welcome that and verify which email addresses are bad and the spam is
rejected at connect time. When I use SAV I don't have to run those
messages through spam assassin because I already know they are spam. So
don't tell me that it doesn't work because I know for a fact that it does.
I WANT people to verify against my servers. I WELCOME it because
spammers blacklist ME.
As to people blacklisting me - I am quite capable of effectively evening
the score. Those who black list me are a buch of cowards who hide and
create anonymous black lists to try to bully people into what they want
us to do. But these people have left a trail that I'm reconstructing and
I'm going to out them and it's going to be a very public outing. So I
don't just complain when I get blacklisted. I fix the problem.
Re: Sender Address Verification is NOT abouse and very effective
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Marc Perkel wrote:
> I want people to use sender address verification against my servers for
> the domains I host because if someone is spoofing one of my domains I
> want it to fail. I welcome it. Because when domains do sender address
> verification then it makes spammers fail. And if spammers fail they will
> use someone else's domain - someone who refuses to use SAV. Is if theirs
> anything that causes collateral damage it's the face that my domains are
> less spammer friendly that yours are so they will spoof your domains
> rather than mine.
That's just silly, and as a provider of an anti-spam service you should
know that.
SAV is a lousy anti-forgery mechanism, primarily because it isn't an
anti-forgery mechanism. At best it's a "somebody might legitimately use
this address but I have no idea if it's being forged in this instance"
mechanism. SAV doesn't make spammers fail, it merely requires them to
use a valid address, and guess what, they've got billions of valid
addresses at their disposal.
If you're concerned about, and want to prevent, your domains being
abused then sign your mail or use another mechanism that allows all
involved parties to agree upon a mechanism that requires more than DNS
queries against an unknown/unwilling party.
If you wish to continue using SAV, and going by past statements of "it
works for my customers so I'm going to continue to do it" I assume you
will continue, then *please* stop complaining here every time you get
blacklisted. If you must, though, perhaps SPAM-L would be a more
appropriate venue.
Daryl
Re: Sender Address Verification is NOT abouse and very effective
Posted by Marc Perkel <ma...@perkel.com>.
John D. Hardin wrote:
> On Thu, 29 Mar 2007, Marc Perkel wrote:
>
>
>> The question was about a corpus of email. I assume that it means
>> that the email is from multiple sources.
>>
>
> Correct. Assume for the sake of argument that the distribution of
> domains being checked somewhat reflects the distribution of ISP sizes
> - for example, there would be more aol.com and hotmail.com addresses
> than most other domains.
>
> Also, duplicates would be collapsed so caching isn't really
> beneficial.
>
>
>> So I doubt that someone running it would even be detectable buy
>> anyone else.
>>
>
> Well, yes, but whether or not you get caught does not affect the
> morality or courtesy of an act...
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> You are in a maze of twisty little protocols,
> all written by Microsoft.
> ----------------------------------------------------------------------
> 15 days until Thomas Jefferson's 264th Birthday
>
>
I want people to use sender address verification against my servers for
the domains I host because if someone is spoofing one of my domains I
want it to fail. I welcome it. Because when domains do sender address
verification then it makes spammers fail. And if spammers fail they will
use someone else's domain - someone who refuses to use SAV. Is if theirs
anything that causes collateral damage it's the face that my domains are
less spammer friendly that yours are so they will spoof your domains
rather than mine.
Re: Sender Address Verification is NOT abouse and very effective
Posted by "John D. Hardin" <jh...@impsec.org>.
On Thu, 29 Mar 2007, Marc Perkel wrote:
> The question was about a corpus of email. I assume that it means
> that the email is from multiple sources.
Correct. Assume for the sake of argument that the distribution of
domains being checked somewhat reflects the distribution of ISP sizes
- for example, there would be more aol.com and hotmail.com addresses
than most other domains.
Also, duplicates would be collapsed so caching isn't really
beneficial.
> So I doubt that someone running it would even be detectable buy
> anyone else.
Well, yes, but whether or not you get caught does not affect the
morality or courtesy of an act...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You are in a maze of twisty little protocols,
all written by Microsoft.
----------------------------------------------------------------------
15 days until Thomas Jefferson's 264th Birthday
Re: Sender Address Verification is NOT abouse and very effective
Posted by Marc Perkel <ma...@perkel.com>.
John Rudd wrote:
> John D. Hardin wrote:
>> On Thu, 29 Mar 2007, Marc Perkel wrote:
>>
>>> John D. Hardin wrote:
>>>> Can anyone recommend a non-abusive way to validate email addresses?
>>> Yes - Sender Address Verification (SAV) works very well. It is not
>>> abusive. Especially the way Exim implements it.
>>
>> I am not necessarily speaking of the context of a MTA.
>>
>> Example pulled out of thin air: if you had a corpus and you wanted to
>> check the addresses within it, what would be a "polite" way to do so?
>> Just open an SMTP connection and see what the far end says to "RCPT
>> TO:", but put a tight rate limit on it?
>
> If someone was doing that to my server, I would consider it an attack,
> and blacklist them.
>
> There is no polite way to do it. It's not polite to take advantage of
> someone else's resources without their permission. That's exactly
> what SAV does.
>
> SAV is the same thing as TDMA/Challege-Response, only the challenge is
> to the machine instead of the human. Most of the same arguments apply.
>
The question was about a corpus of email. I assume that it means that
the email is from multiple sources. So I doubt that someone running it
would even be detectable buy anyone else.
Re: Sender Address Verification is NOT abouse and very effective
Posted by Magnus Holmgren <ho...@lysator.liu.se>.
On Friday 30 March 2007 02:36, John Rudd wrote:
> There is no polite way to do it. It's not polite to take advantage of
> someone else's resources without their permission. That's exactly what
> SAV does.
I can think of a couple of ways to be at least less impolite.
First of all, use SAV as the last check before finally accepting a message,
i.e. after it passes SA.
Second, use SAV only if the SPF check returns "neutral" (and
possibly "temperr"/"permerr"). On "softfail" you can suspect that the sender
is a spammer and that performing a verification might make you a part of a
DDoS. On "fail" you might reject the message *if* all authorized forwardings
are accounted for or use SRS. This would mean that those who don't want SAVs
from Marc Perkel just have to publish SPF records. DK/DKIM could perhaps be
used in a similar way.
> SAV is the same thing as TDMA/Challege-Response, only the challenge is
> to the machine instead of the human. Most of the same arguments apply.
However, the bandwidth used is a lot less. The same arguments could be
extended to SPF queries and even simple DNS queries to check that the given
domain even exists. The question is, and it's not a rhetorical one: Where do
you draw the line between being abused and providing the kind of "directory
services" you have to run when you own a domain?
(One answer might be that SAV (and even simple domain checks) is abusive
because it's futile.)
SAV the way it's commonly carried out is definitely an abuse of protocol, so
one way to go might be by advocating VRFY: Since "accept everything, then
bounce" is discouraged, one could as well allow VRFY (if one welcomes
verification requests from others). (But I'm not sure about the possibility
of differentiating negative VRFY responses from rejections due to policy.)
--
Magnus Holmgren holmgren@lysator.liu.se
(No Cc of list mail needed, thanks)
Re: Sender Address Verification is NOT abouse and very effective
Posted by John Rudd <jr...@ucsc.edu>.
John D. Hardin wrote:
> On Thu, 29 Mar 2007, Marc Perkel wrote:
>
>> John D. Hardin wrote:
>>> Can anyone recommend a non-abusive way to validate email addresses?
>> Yes - Sender Address Verification (SAV) works very well. It is not
>> abusive. Especially the way Exim implements it.
>
> I am not necessarily speaking of the context of a MTA.
>
> Example pulled out of thin air: if you had a corpus and you wanted to
> check the addresses within it, what would be a "polite" way to do so?
> Just open an SMTP connection and see what the far end says to "RCPT
> TO:", but put a tight rate limit on it?
If someone was doing that to my server, I would consider it an attack,
and blacklist them.
There is no polite way to do it. It's not polite to take advantage of
someone else's resources without their permission. That's exactly what
SAV does.
SAV is the same thing as TDMA/Challege-Response, only the challenge is
to the machine instead of the human. Most of the same arguments apply.
Re: Sender Address Verification is NOT abouse and very effective
Posted by "John D. Hardin" <jh...@impsec.org>.
On Thu, 29 Mar 2007, Marc Perkel wrote:
> John D. Hardin wrote:
> > Can anyone recommend a non-abusive way to validate email addresses?
>
> Yes - Sender Address Verification (SAV) works very well. It is not
> abusive. Especially the way Exim implements it.
I am not necessarily speaking of the context of a MTA.
Example pulled out of thin air: if you had a corpus and you wanted to
check the addresses within it, what would be a "polite" way to do so?
Just open an SMTP connection and see what the far end says to "RCPT
TO:", but put a tight rate limit on it?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You are in a maze of twisty little protocols,
all written by Microsoft.
----------------------------------------------------------------------
15 days until Thomas Jefferson's 264th Birthday