Marc,
Overall good answers... but about six months ago, one of my users was joe
jobbed in "biblical proportions"... in this case, the spammer chose this
one "real" address and that spammer must have either sent the bots this
info, or pre-programmed the bots. When the spam run started, this particular
user was then the "from" address in many spams sent from many different IPs
and, as a result, he received hundreds of incoming outscatter per day (The
vast majority of which were were blocked by my spam filter). The outscatter
often showed the headers of the original spam and from that I was able to
determine that this was originating from an army of bots... NOT merely one
IP. Because the outscatter I saw was mail returned from that fraction of a
percent of mail servers which are misconfigured, the actual spam run must
have been in the 10s of thousands... or even millions per day.
Combine this with the fact that I highly doubt that anyone else's
implemenation of SAV would be as surgically targetted as yours, no matter
how hard they try, and my mail server might have been brought to its knees
had all the major ISPs used SAV at that time!
It would be interesting if there were a central "clearinghouse" server which
could do the SAV one time (with each new request not yet in the DB) and then
cache the results for everyone else to do some kind of DNS query to this one
server. But this is not feasible because if random aliases are used in the
FROM address then the database for this server could grow unbelievably large
to a point where it would be rendered useless. Also, this would also be a
valuable resource for spammers to verify addresses in their own address
lists! So... forget that idea!
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
