> I'm beginning to think that mailback validation as an anti-spam
> technique has been beaten. Worse, I think there are now spam systems
> written that will beat them in an automated way.
I can believe it, but only because too many mailback schemes are broken. I
run a bunch of autoresponders, and I can't tell you how many of them have
"validated" subscriptions to various mailing lists to which some bozo
forge subscribed them (typically by giving an address like
[EMAIL PROTECTED] when a site demanded an e-mail address.)
Many schemes seem to take any response with the same subject line as the
mailback as a confirmation, which is accidentally spoofed by my
autoresponder. You could spoof a scheme like that without even seeing the
mailbacks, since they usually have a simple fixed text.
For mailbacks to be effective, they need two things:
- a key in the confirmation that's not derived (or at least not easily
derived) from the e-mail address, so you can be sure that the confirmation
is in fact a response to the mailback.
- something in the message that won't be inserted by an autoresponder,
e.g., instructions to put "yes" in the first line of the response, but
make sure the first few lines of the mailback don't contain that word.
Click-to-confirm does both of these so long as the confirm URL contains
the key. This shouldn't be rocket science, but it's impressive how many
people writing mailing list packages appear to know nothing about the
reality of the e-mail environment.
Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
