-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Mar 10, 2004 at 04:14:49PM -0700, Jason R. Mastaler wrote: >Kyle Hasselbacher <[EMAIL PROTECTED]> writes: > >> I think the idea is that the spammer would connect directly to the >> victim's mail server, forge an address, and get a reject >> immediately. > >I assume you mean forge a bogus address as opposed to forge a real, >working address? If so, this is already satisfied with sender address >verification which some SMTP servers (Exim, Postfix, probably more) >already implement.
I think SPF is great. I think if more sites heeded SPF records I wouldn't get more bogus bounces than spam, but I'm just guessing. I think also that the situation that SMTP-based C/R works "better" for is this: * Spammer forges from a working address. * Spammer connects directly to the victim's mail server. When both of those are true, TMDA sends a challenge to someone who didn't ask for it, but SMTP-based C/R doesn't. As you note, sender verification can solve the unwanted challenge problem for TMDA (and, incidentally, for SMTP C/R also). If the spammer forges from a broken address, the difference between the methods is that TMDA makes it look as if the message was delivered. With SMTP C/R, the spammer sees a rejection. Either way, no one gets a challenge, and sender verification helps either way too. If the spammer goes through an intermediary server (open relay or a real MX with a different policy), there's no difference to anyone. >> Regular users would get the bounce because their legitimate mail >> server would generate one when it gets the rejection. > >Which is the same result as what currently happens with TMDA. Yeah, except TMDA's challenges are easier to read and to answer. - -- Kyle Hasselbacher | The early bird gets the worm, but the second mouse [EMAIL PROTECTED] | gets the cheese. -- Jon Hammond -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAT8MM10sofiqUxIQRAsd4AKCzPltbA9GpzTmHT2nz+bEUDO/ihwCfddy2 XatIF20ASsDvNFhMMdsRcOw= =smsX -----END PGP SIGNATURE----- _____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
