Marilyn Davis wrote:
>
> Thank you! Ok, I'm finished with spf.
>
> I have one more question, if anyone still has the patience to answer me.
>
> If the challenge to a spoofed message is sent at SMTP time in the
> acl_smtp_data, doesn't the challenge go to the spoofer and not become
> collateral spam?
No. The challenge is sent as a separate email to the return path
(envelope from), not as an SMTP rejection. That challenge mail will go
to the same address regardless of when it is sent. There are three
possibilities here:
1) Bogus return address: the challenge gets rejected at SMTP time, the
original message is blackholed, no-one is annoyed. This is the same way
that sender callout verification works.
2) Valid return address on real mail: the original sender gets the
challenge, and is annoyed.
2a) The original sender answers the challenge, and the recipient
gets the original mail.
2b) The original sender ignores the challenge, and the original mail
is blackholed.
3) Faked return address (joe job): Some innocent third party gets the
challenge, and is annoyed.
Cases 2 and 3 both suck, but case 2 is between the sender and the
recipient; I don't really care much there. Case 3 is the real problem
with c/r. I got joe-jobbed last year, and received a ton of bogus C/Rs.
At the time, I just trained my spam filter (spambayes back then) to
recognize them. I kind of wish I had that system filter I posted this
morning to automatically approve delivery of all that spam, now.
- Marc
