On 23 Mar 2005 at 13:50, Marilyn Davis wrote about
"Re: [exim] Heads up?":
|...
| If the challenge to a spoofed message is sent at SMTP time in the
| acl_smtp_data, doesn't the challenge go to the spoofer and not become
| collateral spam?
No. Doing it at SMTP time means the challenge can be sent to the
envelope-sender address rather than address(es) extracted from the
message headers. But the envelope sender address is no more reliable
than the From: or Reply-To: addresses.
FWIW, if a C/R system *only* sent challenges to envelope senders that
have been verified by one of the schemes to prevent envelope-sender
spoofing (SPF, DK, SES, etc), *then* it would not have the collateral
spam problem. But it wouldn't be very usefull...
- Fred
