You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Ramprasad <ra...@netcore.co.in> on 2006/12/01 08:55:44 UTC

OT: sender address verification .. is it feasible

I had read of sender address verification(SAV) about a year back, some
people had done that too. I found the idea too unfeasible for checking
from-addresses before accepting mail at MTA.


The scene is different today now with 90% of all mail being spam it
seems not that bad an idea anyway
  My guess is around 50% of these spams dont have a deliverable from-id
Waste resource and bandwidth accepting mail and scanning it or waste
time probing for correct from ids ( and also risk being blacklisted for
probes ) .. which is better.

IMHO if SAV becomes some standard then domains can have something like
DNS records for all correct ids and probing will become a lot easier

Is anyone already having experiences with sender address verification

Thanks
Ram

Re: OT: sender address verification .. is it feasible

Posted by Jonas Eckerman <jo...@frukt.org>.

Ramprasad wrote:
> Is anyone already having experiences with sender address verification

Are you talking of verification using SMTP callbacks?

If so, yes. I'm currently using my own SA plugin for this, but it's not verifying everrything. Points:

* You can't use VRFY (the SMTP command meant for this) since many hosts either doesn't allow that command or gives false answers. Instead you have to do both a MAIL FROM and RCPT TO in order to check the address. And ou shpould only consider an explicit permanent rejection of the RCPT TO as a rejection.

* You absolutely should not do a MAIL FROM + RCPT TO verification callback diectly before ansering one of those commands since that could result in a loop between two servers if both are doing this.

* You shouldn't do this for all mail that comes in because (a) it is a nasty way to put load on innocent parties servers (since spammer use false senders) and (b) it will trigger checks in some systems so that you might be considered a probable spammer.

* You probably shouldn't reject based on his. There are otherwise legit mail that are sent with invalid sender addresses. :-/

This is how we do it:

I use a SpamAssassin plugin. This way, a failed verification by itself will not reject a mail.

This plugin only does sender verification if it can make a difference. That is, the score when the plugins eval tests are run must be high enough so that a true result from the eval test will push it over the top, but not be allready over the top.

The plugin has a list of regular expressions wich, if matched, tells it *not* to verify an address.

The plugin also caches the results in a database so that it will not have to recheck addresses everytime they come in.

I consider this plugin experimental. If anyone wants to check it out it can be found at
<http://whatever.frukt.org/spamassassin.text.shtml>
but I'm not goinmg to recommend it to anyone that doesn't first think about this for a decent while.

I am not at all sure this is a good idea, and I might decide to not do this.

Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Re: sender address verification .. is it feasible

Posted by Loren Wilton <lw...@earthlink.net>.

> Waste resource and bandwidth accepting mail and scanning it or waste
> time probing for correct from ids ( and also risk being blacklisted for
> probes ) .. which is better.

Since you will waste less overall net resources doing your own scanning, I'd 
say that is better.  Quite aside from the fact that you will be blacklisted 
for looking like some form of spammer or other attack.

SAV was a viable concept before the days of spam, back when people published 
the recipients at a given location.  With the advent of spam, admitting who 
is and isn't a user on your system became just downright foolish.  While it 
could in theory help block spam, it could also be used as a DDOS on a target 
system by doing a large spam run and joe-jobbing a given domain, knowing all 
the recipients will then probe it.  More to the point, if it worked (as it 
used to) the spammers could use it to clean their email lists and only send 
to live addresses.  As they used to do.

Now this might actually result in an overall decrease in spam traffic, since 
it would all be targeted to live users.  Somehow though I doubt it.  It 
would just make it much harder to detect the spam, since every spam would 
come from a legit source and be going to a legit source.

        Loren