On Sat, Dec 30, 2006 at 05:14:30PM +0100, Francois Petillon wrote: > As we have started to collect stats, out of 1K connections, there are from > 30 to 50 connections that look like sender verify. This is quite low right > now but it could be harmful on big domains if more people use it.
Yes. Just like any other large amount of traffic could be harmful on big domains. > you are using someone else ressources to fight spam. That's certainly true. But, come to think of it, using someone else's resources is not really a taboo on the Internet. We all participate in such things, almost constantly. Whenever I make a connection to a site, that site has to spend resources to answer me (even if the answer is a rejection). If I resolve a domain, this takes a toll on the entire DNS infrastructure leading up to the desired domain. I use a search engine, whose crawler bot most probably spent gobs of resources on countless sites in order to get me search results. I suppose we could just go about being unusually thrifty and use only our own resources in anti-spam, but these days even content filtering from SpamAssassin is fairly inadequate without a number of checks in remote databases. I guess the counter-argument could be - all those services are explicitly created in order to voluntarily serve requests, but nobody volunteered their server to answer sender verification requests. Yet, a sender verification request is nothing but a three-command SMTP conversation. If someone puts an SMTP server online, and connects it via DNS, it's not exactly strange that other people talk to it. > Second, spammers may adapt in an annoying way (either they will use > domains who always answer a 2xx to rcpt to, or they will use verified > emails). Some of them actually already do that, all the time, for years now. > >Also, sender verification when seen from the side of the victims is > >indistinguishable from a dictionary attack, and may cause deliverability > >issues to the hosts attempting it. > > I confirm it : we already have blacklisted IPs as they were issuing too > many rcpt-to on not existing emails. These were dued to sender > verifications... You choose to ban those, just like someone else chooses to ban deliveries from unverifiable senders. There's nothing particularly strange there. -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]