On Thu, 28 Apr 2005, Marc Sherman wrote:
>
> Chris Spak wrote:
> >
> > We would like to implement a "authorized sender" capability, this
> > would allow our customer to only receive email from people that they
> > have on their white list.
> >
> > If the incoming message is from someone not on a receiver's white
> > list then the system would save the email message for 48 hours and
> > send the sender an
> >
> > email form to complete. The sender would need to enter their name
> > and email address. If the sender responds, the response is then sent
> > to the receiver for approval to add this person to the white list and
> > allow the message waiting and future messages to pass through to the
> > receiver.
>
> What you're talking about is called challenge/response, and is widely
> considered to be a very bad idea. For the most recent discussion on the
> topic, please read the thread rooted at:
> http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050321/msg00030.html
>
The only C/R that I've heard about and that isn't too horrible is
to perform the rejections at end-of-DATA (ie: fakereject if you'd like),
and have the rejection text point to a a web page for further info.
Direct-to-MX viruses/trojans are quite unlikely to return those
rejections to the forged senders.
This still isn't perfect (transparent port 25 redirection, etc), which
is why applying it to only 'tainted' connections may be preferable to
doing it for all.
--
--------------------------------------------------------
Dave Lugo dlugo@??? LC Unit #260 TINLC
Have you hugged your firewall today? No spam, thanks.
--------------------------------------------------------
Are you the police? . . . . No ma'am, we're sysadmins.