Matt Kettler writes:
> [lots of correct stuff]
> ...
> Anyone telling you spammers only or mostly use bogus return addresses
> either hasn't studied spam extensively or is deluding themselves.
Well, they *used* to use bogus addresses -- that was the case 2 or 3
years ago, before Sender Address Verification [1]. Since then, spam
generally uses randomly-chosen, "real" user addresses, as Matt says.
[1]: http://taint.org/2007/03/16/134743a.html
I've written my thoughts about C-R backscatter here: [2]
[2]: http://taint.org/2005/09/11/012434a.html
The only way I can see to have a NON-abusive challenge-response system
nowadays, would be to restrict challenges to domains for which the
challenged message passed SPF, Domain Keys or DKIM tests. (You'd still
annoy your correspondents, but at least you wouldn't be creating spam for
innocent third parties.)
None of the C-R filters bother doing that, though.
--j.
