[Dshield] Raynote appealing for ISP commonsense

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Sat Jan 24 01:11:21 GMT 2004


Michel, List,

On Fri, 23 Jan 2004 15:23:52 -0500 Michel Bruyere wrote:
> > How can ISP A tell whether a given email address at ISP B is valid?
> 
> LOL 
> The ISP will send a test email to the dest address, if no NDR is received
> the real email will be sent, if a ndr is received, the email will be
> /DEV/NULLed

Which, if implemented by both sides, would mean LOOP instead of LOL.
What you mean is Sender Callout Verification (SCV), a.k.a. Sender
Address Verification, a process that has even been patented. This
proces does *not* involve sending email.

However, indeed the recipient MTA checks whether the claimed sender
exists. IIRC, it does so by opening an SMTP session (e.g. as an SMTP
client) to the site from the claimed sender's address, then sends:
  MAIL FROM: <>
  RCPT TO: <claimed_sender>
The remote MTA will respond either "User Unknown" or "OK" (the latter 
often means "could be, somewhere down the line"). Regardless of the 
answer, the client aborts the connection by sending QUIT.

If the remote MTA did NOT respond "User Unknown", SCV assumes that the
recipient, claimed_sender in the original message, exists, and thus
must have been the sender. Read again until you see both flaws.


==> SCV is FUNDAMENTALLY FLAWED when intended to combat spam.


All spammers who are currently not yet spoofing existing email
addresses, will immediately start doing so. They will use YOUR
address <mbruyere at ezemcanada.com> in the MAIL FROM: envelope header.
You will not be Rofl. You will be deleting bounces, whitelisting
requests, OoO's and some complaints. All day long. They are sent to
you by all major ISP's - you cannot block these. Eventually you will
change your email address. BTW this is called a Joe-job. More info:
http://www.dshield.org/pipermail/list/2004-January/013937.php

Most spammers are actually doing us a "favor" by using non-existent
senders (that is, the site usually exists, but the account does not).
Don't push them into the wrong direction.

Apart from this, SCV suffers from even more problems [off topic].
P.S. I *hope* I misunderstand SCV. Please correct me if I'm wrong.
If not, stop mentioning it, and help finding acceptable solutions.

Regards,
Erik van Straten




More information about the list mailing list