> -----Original Message-----
> From: Marc Perkel [mailto:[EMAIL PROTECTED]
> Sent: Friday, March 30, 2007 11:42 AM
> To: users@spamassassin.apache.org
> Subject: Re: Sender Address Verification is NOT abouse and
> very effective
>
>
>
> John D. Hardin wrote:
> > Is there a non-abusive way to automatically verify an email
> address is
> > valid? Verification does not need to occur in real-time; large delay
> > is acceptable. It is not intended as any sort of attack/abuse/spam
> > prevention or mitigation strategy. A given address will not
> be checked
> > more than once. There may not be any email message headers
> associated
> > with the address.
> >
> > If this is drifting off topic, let's kill it and I'll find
> someplace
> > more appropriate.
> >
> >
>
> Yes - there is. I'm using Exim and if you aren't using Exim you might
> not be able to do the things I can do. It's SAV done right.
>
> Exim provides caching so it minimizes real callouts. Youalso
> have to do
> things in the right order. You do the greylisting/blacklisting first.
> You then exclude all the spammer only tricks like impersonating your
> domain(s) and other stuff that only spammers do. You then verify the
> recipient exists first. After doing all this the sender verification
> traffic is minimal.
>
> Now if someone wants to invent a better way that would be great. I'd
> like to see some sort of DNS based way to do this but until there's
> something better SAV is it.
>
I agree with the DNS based method.
Perhaps a txt record that states a given IP is allowed to run mail
services on the
owner of that Ips DNS
Next verify via a forward query of the domain that IP is allowed to
*send* mail for that
Domain.
I am not talking about defining dynamic, etc I am saying a query on the IP
returns a yes no as far as that IP having the right (AUP) to operate an
email service. Then check the domain part to see if that IP is allowed to
send mail on behalf of that domain. Like a ms (mail sender) records instead
of a mx record.
Next I have thought it would be nice in today's world of "bot" that a
service exist explicitly to honor address verification requests that has
nothing to do with the SMTP server. It would have to be light and fast,
perhaps UDP in the same light as DNS. You would send the request to the
service designated by the domain's DNS, this would allow the same types of
round robin or load balancing as DNS servers enjoy. That server would hold
all valid addresses (include aliases) that domain would like to allow to
send mail.
It would return a simple 0,1,2 type of response for yes, no, defer. I would
think that were the backend for such a service to be CDB, the load would be
as light, perhaps less, than a DNS service. Smaller mail systems could
easily run it on the same host as the mail service it's self, larger would
run separate servers or share a DNS server. This type of service could also
enjoy the same geographical dispersement as large DNS systems do as well. A
CDB database wouldn't require much in terms of memory or physical resource,
they are extremely fast and efficient.
Example: calling host mail.this.com [10.10.10.10] mail from [EMAIL PROTECTED]
1. DNS request type ms 10.10.10.10
a. response no - reject
b. response yes
1. DNS request type mailok this.com
a. response no - reject
b. response yes
1. DNS request type mauthservice
mail.this.com
a. response none - defer
b response 10.10.10.11
1. CheckSender
10.10.10.11 [EMAIL PROTECTED]
a. response
0 - accept
b. response
1 - deny
c. response
2 - defer
Under such a scenario the service at 10.10.10.11 could handle requests for
this.com, that.com or there.com. What ever is setup for those domains, so
handle virtuals or hosting services would be no big deal. The point is when
the whole SMTP process was originally designed no one anticipated the
current state of the internet much less the concept of someone forging
addresses, domains, etc. And in terms of resources just look at what is
currently wasted to trying to determine spam/ham. While I am sure the above
is not perfect it would require an ISP to be party to mass spamming, it
would certainly provide a clear chain of responsibility and make enforcement
of anti-spam laws much easier. And, please don't bring up dynamic host
blocking. I am currently awaiting SORBS to de-list a mail server that has
never been dynamic but is part of a DSL listing. That host had symmetrical
DNS for nearly 3 weeks prior to turning on the mail service and was/is still
listed (although I got an email saying they were delisting it soon). In such
a scenario as above once the ISP added the proper ptr record and the mail ok
record I would have been fine.
Just a looong opinion for a Sunday morning.
Rick
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
