TMDA SA
Is anyone on here using , or have any comments/feedback regarding the use of TMDA SA ? http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29 Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: TMDA SA
Jean-Paul Natola wrote: Is anyone on here using , or have any comments/feedback regarding the use of TMDA SA ? http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29 Yes. Don't use challenge response. Here is a good write-up/rant about the evils of it. http://linuxmafia.com/faq/Mail/challenge-response.html Bob
RE: TMDA SA
Jean-Paul Natola wrote: Is anyone on here using , or have any comments/feedback regarding the use of TMDA SA ? http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29 Yes. Don't use challenge response. Here is a good write-up/rant about the evils of it. http://linuxmafia.com/faq/Mail/challenge-response.html Bob I'm a bit confused here (what else is new) is there a difference between Challenge-Response and Sender address Verification? Some articles say they are two -different animals other say yes they are the same Either way I do not intend to use CR- just wondering what, if any, are the diff
Re: TMDA SA
Jean-Paul Natola wrote: I'm a bit confused here (what else is new) is there a difference between Challenge-Response and Sender address Verification? Some articles say they are two -different animals other say yes they are the same They are completely different animals. In terse summary Challenge Response sends a message to the probably forged sender address on received mail. An innocent victim of a forged message will receive this CR spam. My address is widely dispersed and often appears on forged email. I routinely get CR spam from sites using TMDA. I routinely respond to those challenges to enable the delivery of the original spam and viruses. CR is designed to reduce spam to a particular mailbox at the cost of producing spam to many, many other mailboxes. That is very rude. By contrast sender address verification never generates an email message. It cannot generate spam. What sender address verification does is to probe the address to verify that the sender will receive a bounce if the original message were undeliverable. If they will receive a bounce, without actually generating one, then message delivery continues. If the sender will not receive a bounce then message delivery fails at that point. This is not designed to block forgeries. This is designed to block invalid sender mail addresses. Either way I do not intend to use CR- just wondering what, if any, are the diff When you say TMDA everyone will immediately think challenge response because TMDA's primary functionality is CR. TMDA will also do other things too and some people, a minority, use it for those other features. But the majority use case for TMDA is for challenge response and that is the problem case. Bob
RE: TMDA SA
Jean-Paul Natola wrote: I'm a bit confused here (what else is new) is there a difference between Challenge-Response and Sender address Verification? Some articles say they are two -different animals other say yes they are the same They are completely different animals. In terse summary Challenge Response sends a message to the probably forged sender address on received mail. An innocent victim of a forged message will receive this CR spam. My address is widely dispersed and often appears on forged email. I routinely get CR spam from sites using TMDA. I routinely respond to those challenges to enable the delivery of the original spam and viruses. CR is designed to reduce spam to a particular mailbox at the cost of producing spam to many, many other mailboxes. That is very rude. By contrast sender address verification never generates an email message. It cannot generate spam. What sender address verification does is to probe the address to verify that the sender will receive a bounce if the original message were undeliverable. If they will receive a bounce, without actually generating one, then message delivery continues. If the sender will not receive a bounce then message delivery fails at that point. This is not designed to block forgeries. This is designed to block invalid sender mail addresses. Either way I do not intend to use CR- just wondering what, if any, are the diff When you say TMDA everyone will immediately think challenge response because TMDA's primary functionality is CR. TMDA will also do other things too and some people, a minority, use it for those other features. But the majority use case for TMDA is for challenge response and that is the problem case. Bob is Sender Address Verification a feasible option? Let me rephrase , does anyone here use it? If not why?
Re: TMDA SA
Jean-Paul Natola wrote: Is anyone on here using , or have any comments/feedback regarding the use of TMDA SA ? http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29 TMDA is an acceptable criteria for being blacklisted by spamcop. ie: don't use TMDA, it's evil. It's simply a way of trying to foist your spam filtering problems into someone else's mailbox.
RE: TMDA SA
Hi, if someone sends you lots of crap from a handful of forged addresses, and your verification does not cache results, you might create a lot of connects to innocent systems (and possibly get blacklisted for that) What happens if the other side does the same, and starts a smtp connection to your server in response to your verification attempt? You might get two machines locking up each other. A careful design (verifying at DATA command) would probably avoid that. Both sender address validation and CR may lose valid email I am using address verification but in the context of a web form: if a visitor is supplying an email that seems to be unreachable, he/she would be asked to supply a different one. Wolfgang Hamann Jean-Paul Natola wrote: is Sender Address Verification a feasible option? Let me rephrase , does anyone here use it? If not why?=20
Re: TMDA SA
On 8-Dec-2006, at 12:27, Jean-Paul Natola wrote: I'm a bit confused here (what else is new) is there a difference between Challenge-Response and Sender address Verification? Some articles say they are two -different animals other say yes they are the same Some articles are written by morons then, as they are in no way the same. The latter is an automated check that the address listed as the sender is a valid address, the former is a prove-you-love-me irritation that, at least when I receive it, goes straight in my trash. Generating more email to try to protect YOUR mailbox at the expense of my time and resources is not cool. Do it often enough and you get listed in my permanent blacklist (I still have hosts in there from 1995). And that doesn't even deal with the issue of perfectly valid, but forged, sender addresses. Prove-you-love-me means you send THEM bucketloads of extra spam. -- Don't be nice. It's Creepy. Tendo Akane