Sender Address Verification: Still a Bad Idea

Topics

Sections

Access Tools

Sender Address Verification: Still a Bad Idea

Apr 07, 2008 8:00 AM PST | Comments: 2

Print Email

By John Levine

A lot of spam uses fake return addresses. So back around 2000 it occurred to someone that if there were a way to validate the return addresses in mail, they could reject the stuff with bad return addresses.

A straightforward way to do that is a callout, doing a partial mail transaction to see if the putative sender’s mail server accepts mail to that address. This approach was popular for a few years, but due to its combination of ineffectiveness and abusiveness, it’s now used only by small mail systems whose managers don’t know any better.

What’s wrong with it?

The most obvious problem is that it doesn’t work to verify addresses. There’s lots of reasons why the naively implemented checks that callouts use can succeed for a non-existent address or fail for a good address. Many mail systems (including mine) accept all addresses at the RCPT TO, and reject the bad ones at the DATA command, giving the callout system the mistaken impression that bad addresses are good. Conversely, systems that implement techniques against spam blowback (bounces from spam forging their addresses) can often reject callouts because they look just like blowback, giving the callout system the mistaken impression that good addresses are bad.
Address verification is not an effective spam filter. These days most spam uses other people’s real addresses taken from the spam target lists, so all you’re verifying is that they stole someone’s address.
Callouts are abusive. Since upwards of 90% of mail is spam with forged addresses, 90% of your callouts are to people who never sent you mail or otherwise bothered you.
Callouts are likely to get you blacklisted, since the behavior of callouts is indistinguishable from spammers trying to do bulk listwashing of bad addresses.
Callouts are discredited. Every large ISP that used to do callouts, most notably Verizon, found it was counterproductive and stopped.

I was dismayed to hear just last week from an acquaintance who was trying to persuade his system manager not to use this brand new anti-spam silver bullet. I hope he succeeded.

Source Credit: This has been a featured post from John Levine, Author, Consultant & Speaker. To learn more, visit this participant's full profile page.

More Under: Spam

Stay Updated: To receive weekly email updates from CircleID sign up here or see the list of RSS feeds and mobile version of this site.

Print Email

Comments

#1 | By Tom Lowenhaupt | Apr 10, 08 @10:34 am PST

John,

Perhaps you might advise. A quick review of recent bounced emails show the following messages:

- 550 5.1.1
- Sorry, I couldn’t find a mail exchanger or IP address. (#5.4.4)
- 550 relay not permitted
- 554 5.7.1 <help@openplans.org>: Relay access denied
- 530 authentication required for relay (#5.7.1)

Are any of these the result of the “callout” practice you identify? If so, perhaps I’ll get more specific as to a remedy the next time I bring attention to the bounce.

Thanks,

Tom Lowenhaupt

Reply | Top ^

#2 | By Ale | Apr 13, 08 @01:06 am PST

In addition to the five reasons that John points out, callouts are not scalable. A server issuing a callout would do so even in response to another callout, unless it is able to detect such circularity. Circularity cannot be detected if routing peculiarities are being deployed, e.g. multihoming or nat. Infinite recursive callouts are thus likely to occur. Dummy envelope senders, such as anonymous@example.com break SMTP semantics even further.

Reply | Top ^

Start Your AdAds

Industry Updates

May 17, 2008 5:28 PM PST

Hostway to Offer Cable Companies Additional Revenue Streams at NCTA’s Cable Show ‘08

Hostway will participate in the National Cable & Telecommunications Association's Cable Show '08 as an exhibitor offering attendees additional revenue streams through its white label Web hosting program. ›››

By Hostway | Views: 31

May 15, 2008 11:28 AM PST

Overstock.com Chooses NeuStar’s UltraDNS for Managed DNS Service

NeuStar, Inc. has announced that Overstock.com, a popular online closeout retailer, has chosen NeuStar's UltraDNS Managed DNS Service to provide Overstock.com with a global DNS infrastructure that significantly enhances end-user experience and operational security -- and protects revenue in the highly competitive online retail market. ›››

By NeuStar | Views: 152

May 14, 2008 11:37 AM PST

Inside Your Domain Portfolio

We've seen a lot of changes in the domain industry over the last year, some positive, some challenging. Whether you're an old pro or just beginning, this spring is a great time to take inventory and make sure your domain business is on the right track for success this year and beyond. ›››

By Sedo | Views: 173

May 14, 2008 11:32 AM PST

Sedo at Domain Roundtable 2008, San Francisco

Domain Roundtable 2008 was an all-around successful event for Sedo. The conference was attended by the domain industry's best and brightest and the Sedo team was right there in the thick of it. ›››

By Sedo | Views: 170

May 14, 2008 11:27 AM PST

Sedo’s New Brokerage Application

Have you ever wanted to buy or sell a domain or a portfolio of domains but just didn't have the time to market it, manage and negotiate the best possible price? You can now request this premium service and work with an experienced Sedo domain broker. ›››

By Sedo | Views: 221

May 13, 2008 3:00 PM PST

ICANN Unanimously Approves RegistryPro Proposal to Expand the .Pro TLD

RegistryPro, the exclusive operator of the .Pro top level domain (TLD), has received approval from ICANN to greatly expand the scope and availability of the .Pro TLD. The newly ratified terms of service increases the number of professionals who are eligible for the TLD, extends the availability globally, and streamlines the registration process. ›››

By Hostway | Views: 335

May 06, 2008 10:16 AM PST

Oversee.net’s DomainSponsor Presents 3rd Annual DOMAINfest Global

The third annual DOMAINfest Global, the premier conference and networking event for the domain name industry, will be held at the Renaissance Hollywood Hotel in Hollywood, California from January 28-30, 2009. Event registration will open later this year. ›››

By DomainSponsor | Views: 539

May 02, 2008 10:21 AM PST

.NL Auction Sneak Peak!

Join Sedo for our much anticipated .NL auction, being held from May 2nd 4pm (EST) until May 9th at approximately 4pm (EST). As the worth of the .NL continues to increase, so does the demand. ›››

By Sedo | Views: 611

Apr 30, 2008 10:01 AM PST

dotMobi Requests Proposals for find.mobi

dotMobi today announced that is accepting proposals for find.mobi, a consumer-facing mobile search tool; find.mobi was created by dotMobi's research and development team to demonstrate an operational mobile search engine that made the most of the mobile web and needs of on-the-go users. ›››

By dotMobi | Views: 822

Apr 28, 2008 2:08 PM PST

dotMobi Offers Prime Selection of Generic Domain Names to Spur Mobile Web Growth

As part of its ongoing series of unique methods of allocating Internet domain names, dotMobi is bringing 16 "premium names" to market at Moniker's T.R.A.F.F.I.C. East Auction on May 23, 2008. ›››

By dotMobi | Views: 1058

More Industry Updates ›››