I'm beginning to think that mailback validation as an anti-spam
technique has been beaten. Worse, I think there are now spam systems
written that will beat them in an automated way.
...
I've felt for a while that the list community was way too comfortable
with mailbacks as "safe and unbeatable". I'm now seeing what I think
is evidence that this is no longer true. And I'm afraid that because
we have sat back adn not innovated here, we're going to end up behind
the eight ball. and I don't see any easy answers if I'm right -- only
that if I am wrong, I won't be wrong forever.
I agree with you in principle but not in practice. In other words, I am
absolutely certain that as long as it is free, both in cost and lack of
access control, to originate email, spam will always exist. In that
context, there is no safe and unbeatable anti-spam technique and I agree
with you.
However, in practice, as with all undesirable behaviors, there is this
cat-and-mouse game between those who practice undesirable behavior and
those who seek to ameliorate it. What you're seeing has always been a
threat. It was only a matter of time before the spammers figured it out
and "got organized" about exploiting it. At issue is service providers
who forget they're playing the game.
Now I'll make your day with an equally difficult related problem,
perhaps worse depending on what MLM system you use. What I'm seeing a
lot of (me being eList eXpress <http://www.elistx.com>) is forged SMTP
MAIL FROM addresses. You see, for access control purposes, that's the
address my system uses. What's happening is the domain part of the
address in the MAIL FROM and the message headers are themselves equal
and do represent legitimate subscribers, but they do not match the
source of the message (SMTP peer) and in fact the message is
illegitimate. (Of course, more insidious is the fact that this scenario
may be completely legitimate, for many reasons left as an exercise to
the reader.)
In this situation the spammers don't even need an email account. They
just need a little tool, which is almost trivial to write in Perl.
I think that mailback validation is an important and essential tool in
the fight against spam. But neither it nor any technique currently
available is sufficient. Security and safety are, and always have been,
a full-time job. They are a journey, not a destination, and anyone
(especially a service provider) who forgets that is, at best, doomed to
relive history; at worst, they will fail.
Jim
--
The Cure for What (M)ails You: <http://www.elistx.com>
