[Dshield] Raynote appealing for ISP commonsense
johnh at aproposretail.com
Sun Jan 25 20:37:45 GMT 2004
Erik van Straten said:
> Michel, List,
> On Fri, 23 Jan 2004 15:23:52 -0500 Michel Bruyere wrote:
>> > How can ISP A tell whether a given email address at ISP B is valid?
>> The ISP will send a test email to the dest address, if no NDR is
>> the real email will be sent, if a ndr is received, the email will be
> Which, if implemented by both sides, would mean LOOP instead of LOL.
I think several people here are a bit humor-challenged... :)
> What you mean is Sender Callout Verification (SCV), a.k.a. Sender
> Address Verification, a process that has even been patented. This
> proces does *not* involve sending email.
Yes, well, a TCP/SMTP connect is still rather expensive for both parties.
> However, indeed the recipient MTA checks whether the claimed sender
> exists. IIRC, it does so by opening an SMTP session (e.g. as an SMTP
> client) to the site from the claimed sender's address, then sends:
> MAIL FROM: <>
> RCPT TO: <claimed_sender>
> The remote MTA will respond either "User Unknown" or "OK" (the latter
> often means "could be, somewhere down the line"). Regardless of the
> answer, the client aborts the connection by sending QUIT.
Jaysus. Somebody patented *THAT*? That's been common practice since SMTP
was first defined as a protocol!
> If the remote MTA did NOT respond "User Unknown", SCV assumes that the
> recipient, claimed_sender in the original message, exists, and thus
> must have been the sender. Read again until you see both flaws.
> ==> SCV is FUNDAMENTALLY FLAWED when intended to combat spam.
No argument here.
John Hardin KA7OHZ <johnh at aproposretail.com>
Internal Systems Administrator voice: (425) 672-1304
Apropos Retail Management Systems, Inc. fax: (425) 672-0192
More information about the list