-
Blogs
-
News
-
Industry
-
Community
-
Topics
A lot of spam uses fake return addresses. So back around 2000 it occurred to someone that if there were a way to validate the return addresses in mail, they could reject the stuff with bad return addresses.
A straightforward way to do that is a callout, doing a partial mail transaction to see if the putative sender's mail server accepts mail to that address. This approach was popular for a few years, but due to its combination of ineffectiveness and abusiveness, it's now used only by small mail systems whose managers don't know any better.
What's wrong with it?
I was dismayed to hear just last week from an acquaintance who was trying to persuade his system manager not to use this brand new anti-spam silver bullet. I hope he succeeded.
Written by John Levine, Author, Consultant & Speaker. Visit the blog maintained by John Levine here.
Related topics: Spam
To post comments, please login or create an account.
Copyright © 2002-2009 CircleID.
Iomemo Inc.
All rights reserved unless where otherwise noted.
John,
Perhaps you might advise. A quick review of recent bounced emails show the following messages:
- 550 5.1.1
- Sorry, I couldn't find a mail exchanger or IP address. (#5.4.4)
- 550 relay not permitted
- 554 5.7.1 <help@openplans.org>: Relay access denied
- 530 authentication required for relay (#5.7.1)
Are any of these the result of the "callout" practice you identify? If so, perhaps I'll get more specific as to a remedy the next time I bring attention to the bounce.
Thanks,
Tom Lowenhaupt
In addition to the five reasons that John points out, callouts are not scalable. A server issuing a callout would do so even in response to another callout, unless it is able to detect such circularity. Circularity cannot be detected if routing peculiarities are being deployed, e.g. multihoming or nat. Infinite recursive callouts are thus likely to occur. Dummy envelope senders, such as anonymous@example.com break SMTP semantics even further.
I am the owner of Junk Email Filter and we filter spam for about 4000 domains, and we actually use sender callout verification. I'll address each of your 5 points.
1) Just because it doesn't work on some systems doesn't mean it doesn't work at all. It is in fact very useful on the systems where it does work, which is most of the world. No one does a callout for every email address presented. My spam filtering system does less than 1/2 of one percent verifications and many of those are cached. You also ignore false failures by ignoring servers that reject all empty senders at the MAIL FROM phase. No one in the real world implements callback the way you are implying.
2) Your second point contradicts your third point that states 90% of sender addresses are forged.
3) Your third point is just a bare allegation of your opinion that callouts are abusive.
4) Your 4th point that callouts are likely to get you blacklisted is dead wrong. I personally am making 50k callouts a day and not getting blacklisted.
5) And finally that callouts are discredited is untrue because every major MTA has built in callout features or third party callout enhancements. My servers receive thousands of callouts a day and I use the data to white list servers. (Spammers don't do callouts - only spam filters do callouts)
You should do your homework and actually understand the technology before denouncing a technology that you haven't thought through.
There's a famous quote from Upton Sinclair that applies here.
Indeed, although in the case of Marc, I think it is not just difficult, but close to impossible. This has all come down from Marc's recent editing of the wikipedia "callback verification" article, I suggested it would be more productive to debate you here rather than there.
I'm still not sure why Marc claims that your second point contradicts your third. Maybe he is assuming that all foraged email addresses are also invalid, rather than valid ones.