On Wed, 21 May 2003, Nigel Metheringham wrote:
> It picks up a lot of the attempted spam injections which are using
> sender addresses which don't check out.
Indeed. We keep a local list of (exact or wildcarded) domains for
which sender callback appears to us to be a productive activity, and
use it as one of the criteria for accepting mail. For many of the
domains whose addresses are counterfeited by spammers, however, it's a
waste of effect trying callback, since the responsible MX always says
the address is OK (e.g @msn.com). So we leave those out of our list,
and only put new domains into the list after verifying that they
respond usefully, except for some wildcards like *.com.br, *.co.kr
etc. (obviously, readers should adapt these ideas to their own
particular situation!).
> It doesn't prevent forged injections using a valid sender address, but
> it does at least raise the bar.
As a matter of long-term policy, doing these callbacks is probably a
poor idea, because it will persuade spammers to counterfeit valid
sender addresses, and thus raise the level of "collateral spam" (see
http://www.ja.net/mail/junk/collateral.html for a useful briefing, but
you knew that).
Nevertheless, in the short term we're finding the procedure to be
efficacious in quite a range of cases (it also points-up domains for
which there is no working mail server at all, and those then get put
into a separate rejection list as being "unreachable domains"). It's
looking to me as if email will become unusable in the medium to long
term unless some much more effective weapon is developed against
spamming, so for the moment I'm willing to risk the tendency of the
present procedure to promote collateral spam and hope for a better
weapon before it gets too bad. But I'd respect anyone else's views if
they saw things differently.
best regards
