[Mimedefang] Sender Address Verification
Bill Cole
mdlist-20140424 at billmail.scconsult.com
Tue Nov 22 13:55:51 EST 2016
On 19 Nov 2016, at 7:01, Simon Standley wrote:
> Guys,
>
> In conversations on this list in days gone by, I seem to recall sender
> address verification via the likes of smf-sav milter, or through
> mimedefang, was considered evil heresy, likely to get you blacklisted.
Yes. For good reason. If you ever have random addresses in a domain you
handle forged on a big spam run aimed at one of the few sites still
doing SAV, you'll understand why. Some years ago miscreants could (and
did) use Verizon's SAV-ing mail system as a tool of reflection DDoS
attacks.
> Recently though, I've seen an increasing number of recipients do this
> kind of thing when we send mail out, and personally I've always liked
> the idea.
And yet indiscriminate SAV remains a fundamentally abusive practice,
unchanged by how much of it you see or what you think of it...
SAV is a mechanism for offloading your anti-spam work to random innocent
victims of forgery. You can mitigate that abuse to a great extent by
only doing SAV when a SPF check of the sender domain returns an
affirmative result, but when you restrict your use of SAV to that degree
you sharply reduce the ratios of repudiation to verification AND of
correct repudiation to incorrect repudiation. Or in simpler terms: it
becomes less useful and less accurate. Doing SAV on an address that
fails or softfails a SPF check is lazy and abusive.
> For this reason, I've been trying out various schemes on a test
> domain, and find tagging mail which cannot be replied to (for reason
> of non-existent user, rather than broken DNS) for later 'mark-up' by
> SpamAssassin, works quite well.
Can you quantify that "quite well?" How often is the SAV tag decisive in
catching spam?
> I was wondering what current thoughts were re- this kind of approach,
> and if anyone else had good/bad results to share?
I help run a mail system where the ultimate policy authority had been an
unmovable fan of SAV for many years, despite my insistence that it was
JUST WRONG and not really very useful as an adjunct to SA because
forging undeliverable senders is an obsolete tactic of shoddy spammers
whose crap is mostly going to score in double digits anyway, with much
of the rest still triggering SA autolearning as spam. After 2 years of
pleading, I got him to accept tag+filter SAV instead of outright
rejection. This revealed that not only was I correct in my prediction
(the SAV rule was never decisive in a correct SA 'spam' determination in
the course of 6 weeks) but that the SAV implementation was flawed,
interpreting some 5xx replies to RCPT as "no such user" incorrectly and
causing incorrect classification as spam. This got worse in week 7, when
the IP address used for SAV did in fact land on some blacklists because
one or more of the addresses it tried to test were spamtraps.
More information about the MIMEDefang
mailing list