Click the comments link on any
story to see comments or add your own.
Subscribe to this blog
RSS feed
|
Home :: Email
20 Apr 2008
A lot of spam uses fake return addresses.
So back around 2000 it occurred to someone that if there were a
way to validate the
return addresses in mail, they could reject the stuff with bad
return addresses.
A straightforward way to do that is a callout, doing a partial
mail transaction to see if the putative sender's mail server accepts
mail to that address.
This approach was popular for a few years, but due to its combination
of ineffectiveness and abusiveness, it's now used only by small
mail systems whose managers don't know any better.
What's wrong with it?
- The most obvious problem is that it
doesn't work to verify addresses. There's lots of reasons why
the naively implemented checks that callouts use can succeed for a
non-existent address or fail for a good address.
Many mail systems (including mine) accept all addresses at the RCPT TO,
and reject the bad ones at the DATA command, giving the callout system
the mistaken impression that bad addresses are good.
Conversely, systems that implement techniques against spam blowback
(bounces from spam forging their addresses) can often reject callouts
because they look just like blowback, giving the callout system the
mistaken impression that good addresses are bad.
- Address verification is not an effective spam filter.
These days most spam uses
other people's real addresses taken from the spam target lists, so all
you're verifying is that they stole someone's address.
- Callouts are abusive. Since upwards of 90% of mail is spam with forged
addresses, 90% of your callouts are to people who never sent you
mail or otherwise bothered you.
- Callouts are likely to get you blacklisted, since the behavior of callouts
is indistinguishable from spammers trying to to do bulk listwashing
of bad addresses.
- Callouts are discredited. Every large ISP that used to do callouts, most
notably Verizon, found it was counterproductive and stopped.
I was dismayed to hear just last week from an acquaintance who was trying
to persuade his system manager not to use this brand new anti-spam
silver bullet.
I hope he succeeded.
Stable link is https://jl.ly/Email/callout.html
|
Topics
My other sites
Who is this guy?
Airline ticket info
Taughannock Networks
Other blogs
CAUCE It turns out you don’t need a license to hunt for spam. 206 days ago
A keen grasp of the obvious Italian Apple Cake 764 days ago
Related sites
Coalition Against Unsolicited Commercial E-mail
Network Abuse Clearinghouse
My
Mastodon feed
|