[Mimedefang] Sender Address Verification

[Bill Cole]

On 19 Nov 2016, at 7:01, Simon Standley wrote:

> Guys,
>
> In conversations on this list in days gone by, I seem to recall sender 
> address verification via the likes of smf-sav milter, or through 
> mimedefang, was considered evil heresy, likely to get you blacklisted.

Yes. For good reason. If you ever have random addresses in a domain you 
handle forged on a big spam run aimed at one of the few sites still 
doing SAV, you'll understand why. Some years ago miscreants could (and 
did) use Verizon's SAV-ing mail system as a tool of reflection DDoS 
attacks.

> Recently though, I've seen an increasing number of recipients do this 
> kind of thing when we send mail out, and personally I've always liked 
> the idea.

And yet indiscriminate SAV remains a fundamentally abusive practice, 
unchanged by how much of it you see or what you think of it...

SAV is a mechanism for offloading your anti-spam work to random innocent 
victims of forgery. You can mitigate that abuse to a great extent by 
only doing SAV when a SPF check of the sender domain returns an 
affirmative result, but when you restrict your use of SAV to that degree 
you sharply reduce the ratios of repudiation to verification AND of 
correct repudiation to incorrect repudiation. Or in simpler terms: it 
becomes less useful and less accurate. Doing SAV on an address that 
fails or softfails a SPF check is lazy and abusive.

> For this reason, I've been trying out various schemes on a test 
> domain, and find tagging mail which cannot be replied to (for reason 
> of non-existent user, rather than broken DNS) for later 'mark-up' by 
> SpamAssassin, works quite well.

Can you quantify that "quite well?" How often is the SAV tag decisive in 
catching spam?

> I was wondering what current thoughts were re- this kind of approach, 
> and if anyone else had good/bad results to share?

I help run a mail system where the ultimate policy authority had been an 
unmovable fan of SAV for many years, despite my insistence that it was 
JUST WRONG and not really very useful as an adjunct to SA because 
forging undeliverable senders is an obsolete tactic of shoddy spammers 
whose crap is mostly going to score in double digits anyway, with much 
of the rest still triggering SA autolearning as spam. After 2 years of 
pleading, I got him to accept tag+filter SAV instead of outright 
rejection. This revealed that not only was I correct in my prediction 
(the SAV rule was never decisive in a correct SA 'spam' determination in 
the course of 6 weeks) but that the SAV implementation was flawed, 
interpreting some 5xx replies to RCPT as "no such user" incorrectly and 
causing incorrect classification as spam. This got worse in week 7, when 
the IP address used for SAV did in fact land on some blacklists because 
one or more of the addresses it tried to test were spamtraps.