[Mimedefang] Checking for a valid sender

Alan Madill amadill at hwy16.com
Tue Nov 18 22:25:36 EST 2003 

> ::snip::
> 
> > Verify that the sender is real.  (there goes 90% of your spam).
> 
> You'd never be able to verify senders from my environment.  Between the
> gateway machine in my DMZ, and the Exchange servers that house the users'
> mailboxes, there are intermediate sendmail relay hosts, as well, which in
> addition to relaying per domain, are also performing both virtusertable and
> genericstable email address conversions on the fly.

Not with the existing standards.  What is revealed is that there is 
user at yourdomain.org that is sending me mail.  I would assume that 
all of your servers trust each other.  If a protocol would allow your 
gateway machine to attest to the fact that user at yourdomain.org 
was legit when the message arrived at my server that would be 
verification enough.  All that would be required is that each server in 
the chain verify with the previous one that the sender exists and was 
allowed.

> My appologies if this upsets you <snip>

It doesn't upset me at all.  What does upset me is the massive 
amounts of spam that I have to deal with and the measures that I 
have to go to in order to filter it.  I have stubbornly held onto my 
email address since the days when I posted to lists like server-linux 
and was listed as technical contact for our freenet with internic.  My 
email address is on every one of those cd's that you can buy with 20 
million addresses.  When I do give it up I might put it up for sale on 
E-Bay as a spam trap. :-)  It is to the point that I am losing legit mail.  
I have MD and SA running and they work well, tagging better than 
95% of the spam, discarding well over 50%.  But 5% of 500 
messages a day is still 25 adverts that I have to delete by hand.  
And I have to go through the SPAM folder every once and a while 
so that I can whitelist the suppliers that send me html flyers.  As an 
ISP I have to deal with the ethical and legal issues of deleting a 
message about "Best price on Viagra" to our local pharmacist or 
"Amazing medical breakthrough" to my doctor.

I rant, I'm sorry.

> The first rule of security is to never reveal more than you have to.  
<snip>

I have your email address.  :-)

Enough said.  We all spend enough time trying to patch the problem.  
Wait 'till the spammers figure out that we don't use SA on messages 
more than 100k.  My poor dialup customers....-- 
Alan Madill - Aspen House Systems
250 567-4200

More information about the MIMEDefang mailing list