Sendmail Validating MAIL FROM

Hey Shawn,

I've never heard of such a beast, but your idea is a great one. Such a product would be a great asset to everyone. To play devil's advocate though, I thought of a couple questions:

Would the module (i'm assuming it would be a module for current MTAs) require a the server to be running a matching module?

How do you think this would affect network traffic and would it cause excessive network congestion? (given the tradeoff from decreased spam to a couple verification packets i wouldn't be too worried about this)

I've forwarded your post to an ex-prof of mine who's sort of my personal Linux guru. I'll let you kinow what he says.

 

Hey Shawn,

I was talking to the ex-prof of mine, and he said the following:

I was planning on just posting an excerpt of this, but found it to be pretty interesting, and posted the whole thing.

 

It's really too bad that we're the only two posting on this topic. Personally, I find it to be really interesting.

What about a solution similar to the implementation of ORBD. I'm not saying a common database, that would just be silly, more about WHEN the ORBD database is loaded, and get in there.

Like I said, I don't know where that hapens in the sendmail cycle, or if this will help at all, but now i'm just babbling on, so I'll stop.

 

It's been a while since I've futzed with sendmail stuff (yes, many years ago I even used to tweek raw sendmail.cf's - give me a root canal instead please! ;-), but I remember a few years ago Eric Allman at an evening Usenix function talking about some new features called "Milters" that were going to be plug-ins at the MTA level to deal with stuff like this; that is, of course, where it should be handled.

I haven't really followed it for a while, and I'm guessing Shawn has looked into this (although he said he didn't want to re-compile sendmail, and in the foggy recesses of my mind, I seem to remember that was neccessary - i.e. not just a .mc -> .cf -> HUP sendmail change), so maybe not adding much to the discussion.

spam is one royal, royal pain - I wish I had never put my Email address on www.komar.org years ago (I took it down a while back replaced by a CGI script), but it just lives on - heck, I've even though about "throwing away" my Email address, but I like it! ;-)

alek

P.S. Shawn: Your approach assumes, of course, that the reply-address will ALWAYS be valid for "legit" Email - I can imagine auto-responders or whatever that are misconfigured generating a "noreply@" Email address that they fail to actually accept Email for (before presumably dumping it on the floor anyway). So while this would be "their fault", you might not get a valid message.

I do agree this is the <1% of Emails that would fail your test - vast, vast majority would be spam with no legit return address.

 

Alek, you bring up a good point with the auto-responders. I had briefly considered that issue but was mostly thinking of submit forms on my sites. Of course problems with those are easy to fix since you control the site anyways. One way that you could get around that would be by interrogating the email as it's sent - from my experience the fake addresses bounce when replied to.

Or we could just drag every spammer out into the street and throw one stone at him for every email he's ever sent. (perhaps it's unfair to assume spammers are all men, but let's face it... that hot chick that's asking for our website in ICQ is really a guy)

 

How 'bout having the Hulk drop from a two story houseon top of 'em for every spam Email they have sent out! ;-)

Spammers have seriousely degraded the usefullness of Email,
alek

P.S. Shawn: bummer on the domain registrations being a harvesting pit for the spammers - kinda defeats the whole purpose of whois. I agree that SMTP needs a replacement and as I'm sure you are aware, there are various proposals out there, but it's going to be a while.

 

AMEN!!!!
alek

P.S. Since anti-spam filters are basically a requirement now, it is unavoidable that they incorrectly classify some "good" Email, so there is now a fair amount of doubt if your "legit" messages get to people ... or vice-verse.

 

FYI FWIW: Looks like Postfix2.1 was just released - Wietse had done some nifty stuff over the years (with a real focus on security), and while I don't have any direct experience with this, I bet it's pretty decent.

As you probably allready know, qmail is another option besides sendmail, but there seems to be a real love/hate relationship with qmail and the author, so your mileage may vary.

alek

 

hello, I am new user just saw your details while searching on google.
I am also facing same problem. have you got any solution for this.
Please mail me on vaishali.chitale@kbl.co.in

 

Since anti-spam filters are basically a requirement now, it is unavoidable that they incorrectly classify some "good" Email, so there is now a fair amount of doubt if your "legit" messages get to people ... or vice-verse.