On Fri, 23 Jul 2004, Kyle Hasselbacher wrote: > >Bounces (as opposed to replies, like TDMA sends) are no problem if you > >use SES (SRS for local mail). Forged bounces (mail from <>) are immediately > >detected by a missing or invalid SRS crypto cookie, and rejected before DATA. > > If you have any method of stopping "forged bounces," it works on TMDA > responses. They're the same in a few important ways: > > * MAIL FROM <> > * Sent to the envelope sender of the message it's responding to. > * Has References, In-Reply-To, Precedence: bulk, and > Auto-Submitted: auto-replied
> When I wrote my filter to weed out the thousands of bad bounces I get in a > day, I didn't have TMDA in mind. Its messages just fell in there on their > own. And, as a bonus, I still get REAL bounces and challenges back. Ahh. I may be unfairly maligning TMDA, the specific product, as opposed to the general concept of sending confirmation emails. I had mentioned TMDA as part of a general rant about all the unsolicited replies and notifications in my mailbox. But if TMDA (the product) sends a DSN (Delivery Status Notification) rather than a reply, then it is not one of the culprits. DSNs to forged messages are automatically blocked by SES without anyone having to check SPF. Here is an example of a bogus, non RFC conforming, reply (which should have been a DSN) from a spamming "spam-filter" which arrived in my mailbox as I was typing this: ------------------ Date: Sat, 24 Jul 2004 05:51:16 +0900 From: vbCity Mail Server <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [vbCity][Not delivered] Re: Dear [EMAIL PROTECTED], ===> IMPORTANT! YOUR MESSAGE WAS NOT DELIVERED TO THE RECIPIENT <=== Recipient : [EMAIL PROTECTED] Subject : Sent On : Sat, 24 Jul 2004 05:51:16 +0900 Reason : Message has been identified as SPAM (Spam Probability - 50%) Your message exceeded this user's spam threshold. Thus, your message was rejected. If this is a valid message, please follow this URL ... etc etc blah blah blah for several more pages of spam advertising ------------- In this case, I figure I'll probably never want to actually send mail to vbcity.com, so into the spam bucket it goes. > I'm not sure what SES is, so maybe I'm missing something. Can you > elaborate? http://spf.pobox.com/srs.html SRS (Sender Rewriting Scheme) is a system to make SPF work with forwarding. Forwarders rewrite the sender (mail from) in a way that lets them retrieve the original sender to forward bounces. The system includes a crypto cookie to prevent spammers from using SRS as a new kind of open relay. As a side benefit, the original sender can apply SRS to outgoing mail, even though it is not strictly needed. Any DSNs (bounces, i.e. mail from <>) which do not have a valid cookie are then rejected as forgeries. When the original sender does this, or uses a similar scheme, it is called SES (Signed Envelope Sender). It protects the sender from forged DSNs. While any system will work for SES, it is helpful to use a system that allows other mailers to extract the original sender. Using SRS at the original sender as an SES scheme fits that goal. -- Stuart D. Gathman <[EMAIL PROTECTED]> Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154 "Confutatis maledictis, flamis acribus addictis" - background song for a Microsoft sponsored "Where do you want to go from here?" commercial. _____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
