All messages from unknown senders are bounced. The bounce contains a link to
a robot-unfriendly "prove you are a human with a real email address page"
that consists of one of those "enter the letters you see in this picture"
forms. Doing that validates the sender as a real person, not a spammer, and
eliminates the need to run something like spamassassin.
I considered such a scheme, but then thought about it and decided against it. Why? Because I'm reluctant to take the extra step to authorise myself. It's irritating when I reply to a mailing list post, CCing the person, and get one of those requests. 99% of the time I ignore it. If I wanted to contact someone then I'd probably do it though.
I am quite fortunate, as I rarely get spam. I used to get quite a lot, then analysed it and noticed that 95% was from two servers, where some asshole was using my email address as a spam hole. I firewalled those hosts after checking who they were, and confirming that no valid correspondence had come from them.
I like the idea of SPF, as Courier esmptd is sensible and allows authenticated relaying by default. Also, as I use webmail mostly outside of my network it works fine.
The real aim of Yahoo!s system is not to authenticate the server though, it's to authenticate the email as being from a valid user. I can see this catching on in corporations, as it'll add a layer of knowledge to the receiver.
As Sam says, msa is rarely blocked as it is an authenticated port. It's also rarely used, so awareness of its existence isn't that high. Configure roaming clients to use this, or get people to use webmail if it's blocked. The problem would be a high-quality webmail system. Sure, squirrelmail works, but it isn't exactly pretty...
Anyway, I'm a bit tired now, I'll think more when I'm awake ;)
-- Phillip Hutchings [EMAIL PROTECTED] http://www.sitharus.com/
smime.p7s
Description: S/MIME cryptographic signature
