Kyle Hasselbacher <[EMAIL PROTECTED]> writes: > I think SPF is great. I think if more sites heeded SPF records I > wouldn't get more bogus bounces than spam, but I'm just guessing.
I wasn't referring to SPF. Sender address verification is something different. See for example http://www.porcupine.org/postfix-mirror/newdoc/ADDRESS_VERIFICATION_README.html An implementation for TMDA is included in the the distribution (contrib/smtp-check-sender). > I think also that the situation that SMTP-based C/R works "better" for is > this: > > * Spammer forges from a working address. > * Spammer connects directly to the victim's mail server. > > When both of those are true, TMDA sends a challenge to someone who didn't > ask for it, but SMTP-based C/R doesn't. Agreed. The question is whether these fringe cases are worth the additional complexity and difficulty of integration and installation, not to mention the unforseen problems and gotchas. > As you note, sender verification can solve the unwanted challenge > problem for TMDA (and, incidentally, for SMTP C/R also). Yup. > If the spammer forges from a broken address, the difference between > the methods is that TMDA makes it look as if the message was > delivered. With SMTP C/R, the spammer sees a rejection. This assumes the spammer sits around looking at all these rejections. I'm not convinved this is the case. > Yeah, except TMDA's challenges are easier to read and to answer. Which is pretty darned important. _____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
