[Dshield] Trapped in the Email Box

John Hardin johnh at aproposretail.com
Wed Mar 3 18:41:18 GMT 2004

On Wed, 2004-03-03 at 08:44, john beck wrote:
> Acually there is one, (but it is in the box:) I have heard talk of email 
> verification going more than checking for valid domain, ie 
> (idiotspammerfakeaddress at hotmail.com) where it checks just that there is 
> such a domain as hotmail.com.  The new way is verifying the complete address 
> is "real" (not spoofed).  I have heard that companies will post their valid 
> addresses for verification in some manner. 

Ooo. If not done properly the spammers will *love* that!

Maybe a DNS subdomain that doesn't allow zone transfers would be a good
way to do it: {username}.valid-email-from.aproposretail.com for example?
The DNS data system is already distributed and delegated, and a
lookup-per-message is not bad for overhead (see all the DNSBLs floating
around). Doesn't allow for names with periods or underscores, though.
Some escaping mechanism is needed. Percent-encode any non-alphanum

> But until this is implemented 
> widely the mechanism is not going to work (ie can not talk to people who do 
> not subscribe to this technology for verification)

That's a basic problem of *any* validation scheme.

> And it may be written in the smtp protocol (the validation).

I wager that will just hamper adoption.

John Hardin  KA7OHZ                           
Internal Systems Administrator/Guru               voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 If you smash a computer to bits with a mallet, that appears to count
 as encryption in the state of Nevada.
                                               - CRYPTO-GRAM 12/2001

More information about the list mailing list