Serge, >There's a matcher that comes with JAMES called SenderInFakeDomain. It's >included but commented out of config.xml by default. It looks at the >address given in the MAIL FROM and matches if it is not a valid domain. >Like you say, a form but not perfect piece of defense. > Cool.
>As for the verification system, it sounds interesting... I would think with >some sort of notification between servers, a server could build up a list of >valid email addresses that it would accept. You could do it something like >this.... > >1. If a message arrives from a sender that's not on the approved list, it >puts it in a holding queue. >2. We send a message to that sender asking them to verify the address. This >could use VERP syntax so the user just replies. >3. For smart (JAMES) servers that receive these address verification >requests, it could spot these request validations, and send the validation >response immediately (so the user doesn't see it and have to approve it). >4. Once the address is validated, the message is pulled out of the holding >queue. > No no, it checks every message every time. It it keeps a list, it's a list of servers that soppirt the verification protocol (a spammer could masquerade as a user from a verify capable mail server, but leave off the verification headers). And it verifies messages not senders, note the reply types in my orig email. >I think this is rather aggressive, but I wonder as spam becomes more >pervasive whether it'd be useful. Also, in theory you could also see if a >message is digitally signed, and if so, automatically approve the email >address. > Signing is good too, but not widespread as getting and configuring certificates is felt to be too hard for most users to do. >Interesting thoughts...shouldn't be too hard to put together in JAMES. > That's true, but what I am really saying here is that the is opportunity for a few of you guys to get together and post an RFC. The basic issue is that the relaying nature of email is the reason that Spammers choose to fake postings and "borrow" resources. There is legislation in place to force spammers to give options to allow spamees to remove themselves from lists. When it works it's pointless. Have you every tried to remove yourself from a list. It's so ineffectual. No, it's the faking and sending via hacked mail servers that the main reason spam still exists. If we move slowly towards verified email then we'll beat SPAM. If that means that SMTP2 comes into being, then fine by me - we dual support multiple transports. Come on guys, seize the opportunity, pen a RFC and put yer names on it. It works best as a standard heh? - Paul --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
