Rob McEwen wrote:
Marc Perkel said:
If someone is sending email using one of my domains I want people
verifying the sender addresses. That way spam that is spoofing my
domains won't get delivered.
Marc:
(1) Sure, this covers spoofing where the alias is invalid for that
domain, but it doesn't do anything about Joe Jobs of e-mail addresses
that really do exist. That is unfortunately because the ones that do
exist are the least quickly provably innocent. IOW, if the spammer is
using my domain in the "From:" address, but choosing an address that
doesn't realy exist, then anyone investigating it further can quickly
and easily discover that messages sent to the non-existant user will
receive an "unknown address" SMTP error code. Likewise, outscatter
will also be a greater problem with real e-mail addresses, but not
much of a problem at all with non-existant addresses. So while your
point is valid, it is very limited.
I always verify the recipient exists before verifying the sender.
(2) On the other hand, consider the scenerio where a single e-mail
address is Joe Jobbed in millions of spams... and that address is
valid (and this is quite common as worms play musical chair with
infected computers address books... using real, not guessed,
addresses!). If more ISPs were using SAV... particularly large ones...
wouldn't that essentially triigger such a large amount of SAV traffic
for that particular innocent domain's mail server that it would then
turn into a DDOS attack... just for a single large spam run?
If someone did that their IP address would be quickly blacklisted and
their server shut down. They wouldn't be able to send millions of emails
that way. Your senereo is impossible.
Therefore, I suppose that SAV is relatively harmless if fewer and
smaller ISPs use it... but it could cause many problems if more widely
adopted. It fails the "what if everyone were doing this" test.
You have to do SAV right. I eliminate all the spambot spam first. Then I
cull out the blacklisted spam. Then I fasttrach the whitelisted hosts
which allows about 65% of all god email through. Then I cull out other
tricks that only spammers use. I then verify the recipient and after
all that I verify the sender. So I'm only verifying less that 1% of all
incoming connections. But the verification cuts out a lot of spam before
going into SA.
And - more importantly - spammers don't use my donains to spam others
because my servers are SAV friendly and spammer prefer using domains
that either pass everything.
