Sender Address Verification: Still a Bad Idea

Apr 07, 2008 8:00 AM PST
Comments: 2
Views: 2,301

A lot of spam uses fake return addresses. So back around 2000 it occurred to someone that if there were a way to validate the return addresses in mail, they could reject the stuff with bad return addresses.

A straightforward way to do that is a callout, doing a partial mail transaction to see if the putative sender's mail server accepts mail to that address. This approach was popular for a few years, but due to its combination of ineffectiveness and abusiveness, it's now used only by small mail systems whose managers don't know any better.

What's wrong with it?

The most obvious problem is that it doesn't work to verify addresses. There's lots of reasons why the naively implemented checks that callouts use can succeed for a non-existent address or fail for a good address. Many mail systems (including mine) accept all addresses at the RCPT TO, and reject the bad ones at the DATA command, giving the callout system the mistaken impression that bad addresses are good. Conversely, systems that implement techniques against spam blowback (bounces from spam forging their addresses) can often reject callouts because they look just like blowback, giving the callout system the mistaken impression that good addresses are bad.
Address verification is not an effective spam filter. These days most spam uses other people's real addresses taken from the spam target lists, so all you're verifying is that they stole someone's address.
Callouts are abusive. Since upwards of 90% of mail is spam with forged addresses, 90% of your callouts are to people who never sent you mail or otherwise bothered you.
Callouts are likely to get you blacklisted, since the behavior of callouts is indistinguishable from spammers trying to do bulk listwashing of bad addresses.
Callouts are discredited. Every large ISP that used to do callouts, most notably Verizon, found it was counterproductive and stopped.

I was dismayed to hear just last week from an acquaintance who was trying to persuade his system manager not to use this brand new anti-spam silver bullet. I hope he succeeded.

See Related Topics: Spam

This has been a featured post from John Levine, Author, Consultant & Speaker. To stay updated with CircleID via Email, RSS, Mobile Handsets or Twitter, visit the CircleID Extras page.

Comments

Re: Sender Address Verification: Still a Bad Idea Tom Lowenhaupt – Apr 10, 2008 10:34 AM PST

John,

Perhaps you might advise. A quick review of recent bounced emails show the following messages:

- 550 5.1.1
- Sorry, I couldn't find a mail exchanger or IP address. (#5.4.4)
- 550 relay not permitted
- 554 5.7.1 <help@openplans.org>: Relay access denied
- 530 authentication required for relay (#5.7.1)

Are any of these the result of the "callout" practice you identify? If so, perhaps I'll get more specific as to a remedy the next time I bring attention to the bounce.

Thanks,

Tom Lowenhaupt

Re: Sender Address Verification: Still a Bad Idea Ale – Apr 13, 2008 1:06 AM PST

In addition to the five reasons that John points out, callouts are not scalable. A server issuing a callout would do so even in response to another callout, unless it is able to detect such circularity. Circularity cannot be detected if routing peculiarities are being deployed, e.g. multihoming or nat. Infinite recursive callouts are thus likely to occur. Dummy envelope senders, such as anonymous@example.com break SMTP semantics even further.