TMDA SA

2006-12-08 Thread Jean-Paul Natola 
Is anyone on here using , or have any comments/feedback regarding the use of
TMDA  SA ?

http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29











Jean-Paul Natola
Network Administrator
Information Technology
Family Care International
588 Broadway Suite 503
New York, NY 10012
Phone:212-941-5300 xt 36
Fax:  212-941-5563
Mailto: [EMAIL PROTECTED]

Re: TMDA SA

2006-12-08 Thread Bob Proulx 
Jean-Paul Natola wrote:
 Is anyone on here using , or have any comments/feedback regarding the use of
 TMDA  SA ?
 
 http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29

Yes.  Don't use challenge response.  Here is a good write-up/rant
about the evils of it.

  http://linuxmafia.com/faq/Mail/challenge-response.html

Bob

RE: TMDA SA

2006-12-08 Thread Jean-Paul Natola 

Jean-Paul Natola wrote:
 Is anyone on here using , or have any comments/feedback regarding the use
of
 TMDA  SA ?
 
 http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29

Yes.  Don't use challenge response.  Here is a good write-up/rant
about the evils of it.

http://linuxmafia.com/faq/Mail/challenge-response.html

Bob

I'm a bit confused here (what else is new) is there a difference between 
Challenge-Response  and Sender address Verification?

Some articles say they are two -different animals other say yes they are
the same

Either way I do not intend to use CR- just wondering what, if any, are the
diff

Re: TMDA SA

2006-12-08 Thread Bob Proulx 
Jean-Paul Natola wrote:
 I'm a bit confused here (what else is new) is there a difference between 
 Challenge-Response  and Sender address Verification?
 
 Some articles say they are two -different animals other say yes they are
 the same

They are completely different animals.

In terse summary Challenge Response sends a message to the probably
forged sender address on received mail.  An innocent victim of a
forged message will receive this CR spam.  My address is widely
dispersed and often appears on forged email.  I routinely get CR spam
from sites using TMDA.  I routinely respond to those challenges to
enable the delivery of the original spam and viruses.  CR is designed
to reduce spam to a particular mailbox at the cost of producing spam
to many, many other mailboxes.  That is very rude.

By contrast sender address verification never generates an email
message.  It cannot generate spam.  What sender address verification
does is to probe the address to verify that the sender will receive a
bounce if the original message were undeliverable.  If they will
receive a bounce, without actually generating one, then message
delivery continues.  If the sender will not receive a bounce then
message delivery fails at that point.  This is not designed to block
forgeries.  This is designed to block invalid sender mail addresses.

 Either way I do not intend to use CR- just wondering what, if any, are the
 diff

When you say TMDA everyone will immediately think challenge response
because TMDA's primary functionality is CR.  TMDA will also do other
things too and some people, a minority, use it for those other
features.  But the majority use case for TMDA is for challenge
response and that is the problem case.

Bob

RE: TMDA SA

2006-12-08 Thread Jean-Paul Natola 


Jean-Paul Natola wrote:
 I'm a bit confused here (what else is new) is there a difference between 
 Challenge-Response  and Sender address Verification?
 
 Some articles say they are two -different animals other say yes they are
 the same

They are completely different animals.

In terse summary Challenge Response sends a message to the probably
forged sender address on received mail.  An innocent victim of a
forged message will receive this CR spam.  My address is widely
dispersed and often appears on forged email.  I routinely get CR spam
from sites using TMDA.  I routinely respond to those challenges to
enable the delivery of the original spam and viruses.  CR is designed
to reduce spam to a particular mailbox at the cost of producing spam
to many, many other mailboxes.  That is very rude.

By contrast sender address verification never generates an email
message.  It cannot generate spam.  What sender address verification
does is to probe the address to verify that the sender will receive a
bounce if the original message were undeliverable.  If they will
receive a bounce, without actually generating one, then message
delivery continues.  If the sender will not receive a bounce then
message delivery fails at that point.  This is not designed to block
forgeries.  This is designed to block invalid sender mail addresses.

 Either way I do not intend to use CR- just wondering what, if any, are the
 diff

When you say TMDA everyone will immediately think challenge response
because TMDA's primary functionality is CR.  TMDA will also do other
things too and some people, a minority, use it for those other
features.  But the majority use case for TMDA is for challenge
response and that is the problem case.

Bob

is Sender Address Verification a feasible option? Let me rephrase , does
anyone here use it? If not why?

Re: TMDA SA

2006-12-08 Thread Matt Kettler 
Jean-Paul Natola wrote:
 Is anyone on here using , or have any comments/feedback regarding the use of
 TMDA  SA ?

 http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29
   

TMDA is an acceptable criteria for being blacklisted by spamcop.

ie: don't use TMDA, it's evil. It's simply a way of trying to foist your
spam filtering problems into someone else's mailbox.

RE: TMDA SA

2006-12-08 Thread hamann . w 

Hi,

if someone sends you lots of crap from a handful of forged addresses, and your 
verification
does not cache results, you might create a lot of connects to innocent systems 
(and possibly
get blacklisted for that)

What happens if the other side does the same, and starts a smtp connection to 
your server in
response to your verification attempt? You might get two machines locking up 
each other.
A careful design (verifying at DATA command) would probably avoid that.

Both sender address validation and CR may lose valid email 

I am using address verification but in the context of a web form: if a visitor 
is supplying an email
that seems to be unreachable, he/she would be asked to supply a different one.

Wolfgang Hamann

Jean-Paul Natola wrote:
is Sender Address Verification a feasible option? Let me rephrase , does
anyone here use it? If not why?=20

Re: TMDA SA

2006-12-08 Thread LuKreme 

On 8-Dec-2006, at 12:27, Jean-Paul Natola wrote:
I'm a bit confused here (what else is new) is there a difference  
between

Challenge-Response  and Sender address Verification?

Some articles say they are two -different animals other say yes  
they are

the same


Some articles are written by morons then, as they are in no way the  
same.  The latter is an automated check that the address listed as  
the sender is a valid address, the former is a prove-you-love-me  
irritation that, at least when I receive it, goes straight in my  
trash.  Generating more email to try to protect YOUR mailbox at the  
expense of my time and resources is not cool.  Do it often enough and  
you get listed in my permanent blacklist (I still have hosts in there  
from 1995).


And that doesn't even deal with the issue of perfectly valid, but  
forged, sender addresses.  Prove-you-love-me means you send THEM  
bucketloads of extra spam.


--
Don't be nice.  It's Creepy.  Tendo Akane