Tool for validating sender address as spam-fighting technique?

Jeffrey Goldberg jeffrey at goldmark.org
Sun Mar 11 23:12:00 UTC 2007 

[mailed and posted]

On Mar 10, 2007, at 1:27 PM, Kelly Jones wrote:

> To fight spam, I want to validate the address (not necessarily in
> real-time) of the a given email sender. Is there a Unix tool that does
> this?
>
> The basics are simple: to validate "kmnyqi at wnonline.net", I connect to
> the MX record of wnonline.net and go as far as "RCPT TO" as follows:
>
[...]

> RCPT TO: <kmnyqi at wnonline.net>
> 550 <kmnyqi at wnonline.net>: Recipient address rejected: 5.1.1
> <kmnyqi at wnonline.net>... User unknown
>
>
> This tells me kmnyqi at wnonline.net is an invalid address and that mail
> from that address is probably bogus.
>
> A more sophisticated tool would cache results, handle temporary
> failures [...]

In some anti-spam discussions what you are proposing is referred to  
as "call-backs".

> I realize this technique is far from perfect:
>
> Spammers spoof legit addresses

Indeed they do.  As someone who has at times received more than 100  
bounces per minute over the span of a week because some spammer  
decided that my address would be a good one to forge, I am well aware  
of that.

In general, we have a question of how well any spamming counter  
measure scales.  If most SMTP servers did the kind of verification  
you wish to do, than most spam would be sent with forged genuine  
addresses.  So when considering using such a system, consider the  
overall cost to legitimate users vs the counter counter measures  
spammers will take.

In this case the counter counter measures available to spammers is so  
much easier and cheaper than the verification system itself, that  
it's not really a good idea to try such verification.


> Bounces/Mailing lists/etc legitimately use "do not reply" addresses
>
> It could be considered unfriendly to the target MX servers

As you've already seen, some managers of MXes complain, others find  
the added load negligible.

> Some mail servers incorrectly say "user unknown" when they see spam,
> figuring it's more of a deterrent than saying "you're a spammer"

Yes.  An unknown user response is more likely to get the address  
removed from a list than a policy bounce.

> Some mail servers inefficiently accept mail for "foo at xxx.com" (where
> xxx.com is one of their domains), figure out if foo exists later, and
> send a bounce back to the envelope sender, instead of rejecting email
> at the SMTP level

Yes.  While I'm a believer in "reject early, reject often" lots of  
sites don't or can't say that an address is bad at SMTP RCPT TO:  
time.  Often these are situations where an MS-Exchange server is the  
"real" mailhub for an organization, but it is being protected from  
direct access from the Internet by having a Unix box stand between it  
and the network.

Other MTAs just accept and then bounce (instead of rejected at SMTP  
time) as a matter of (mis)design.

Some very deliberately don't provide verification at STMP time as a  
means to make it harder for spammers to collect email addresses.   
Indeed, this is why the VRFY command is almost never implemented by  
STMP servers these days.

Anyway, others have pointed you to tools for doing what you want.   
The newsgroups or mailing lists (and FAQs) for the particular MTA you  
use will point you to how to plug in such tools into their MTA.

As I've suggested, I'm not a particular fan of this particular  
counter measure, but you will have seen that opinions differ.

Cheers,

-j


-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/

More information about the freebsd-questions mailing list