On 5/27/05, Justin Mason <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Steve Prior writes: > > My domain geekster.com has been Joe jobbed for the last couple > > of weeks. In spite of the fact that I responsibly created SPF > > records for my domain, I am getting flooded with bounce messages > > from other mail systems that don't understand most spam from > > addresses are forged. Fortunatly AOL seems to have wizened up > > since the last time this happened to me. > > > > It seems to me that email domains that email such bounce messages > > or spam fighting techniques that send back a confirmation message > > are now part of the problem rather than the solution, but since > > the confirmation messages do shield THEIR users from spam they > > don't care what it's doing to the rest of us. I'm wondering if > > a blacklist of known domains which send out stupid bounce messages > > or confirm emails would provide some incentive for cleaning them up. > > A BL would probably be helpful -- but sadly some *really big* networks > (Earthlink's challenge-response) and companies (Fortune 500s) produce > these bounces, too, so it'd have serious FP potential, since those mail > relay IP addresses produce both the bounces and the legit mail.
Note that there's an alternative, if you run your own MTA, which is to use separate header From and bounce addresses. What I do for my regular email (not this gmail account), is to use bounce addresses of the form <[EMAIL PROTECTED]>, where COOKIE is a cryptographic cookie, basically the encryption of an expiration date 21 days in the future. I only accept bounce messages to addresses of that form, and if the COOKIE has expired. If you try to email my regular email address from <>, the mail is rejected. Note that many mail systems support such extension addresses. For example, if your username is dm, sendmail by default delivers dm+ANYTHING to you. Qmail has a similar feature with dm-ANYTHING (but you have to create a .qmail-default file in your home directory). Doing this for larger sites (where you don't have one Unix account per user) might be a bit harder, but if SES ever takes off, you could use that. David
