> Are you doing C/R at the SMTP level? > > The current TMDA scheme works because the challenge is sent to the > "from" address (I use from loosely), which is usually not the spammer, > so the spammer never acquires the "secret". > > If we reject at the SMTP level, the rejection reason is sent to the > spammer, so if it is a secret (cryptographically secured email address), > we have just given the secret to the spammer. > > So if you want C/R at the SMTP level you need a different type of > challenge entirely.
The challenge would come from the upstream SMTP server, not TMDA, so the e-mail address in the challenge header would not be generated by TMDA. A CAPTCHA URL verification system would work though.
--
James Thornton _____________________________________________ Internet Consultant, http://jamesthornton.com
_____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
