[Dshield] Raynote appealing for ISP commonsense

John Hardin johnh at aproposretail.com
Sun Jan 25 20:37:45 GMT 2004


Erik van Straten said:
> Michel, List,
>
> On Fri, 23 Jan 2004 15:23:52 -0500 Michel Bruyere wrote:
>> > How can ISP A tell whether a given email address at ISP B is valid?
>>
>> LOL
>> The ISP will send a test email to the dest address, if no NDR is
>> received
>> the real email will be sent, if a ndr is received, the email will be
>> /DEV/NULLed
>
> Which, if implemented by both sides, would mean LOOP instead of LOL.

I think several people here are a bit humor-challenged... :)

> What you mean is Sender Callout Verification (SCV), a.k.a. Sender
> Address Verification, a process that has even been patented. This
> proces does *not* involve sending email.

Yes, well, a TCP/SMTP connect is still rather expensive for both parties.

> However, indeed the recipient MTA checks whether the claimed sender
> exists. IIRC, it does so by opening an SMTP session (e.g. as an SMTP
> client) to the site from the claimed sender's address, then sends:
>   MAIL FROM: <>
>   RCPT TO: <claimed_sender>
> The remote MTA will respond either "User Unknown" or "OK" (the latter
> often means "could be, somewhere down the line"). Regardless of the
> answer, the client aborts the connection by sending QUIT.

Jaysus. Somebody patented *THAT*? That's been common practice since SMTP
was first defined as a protocol!

> If the remote MTA did NOT respond "User Unknown", SCV assumes that the
> recipient, claimed_sender in the original message, exists, and thus
> must have been the sender. Read again until you see both flaws.
>
> ==> SCV is FUNDAMENTALLY FLAWED when intended to combat spam.

No argument here.

-- 
John Hardin  KA7OHZ                           <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192




More information about the list mailing list