Jean-Paul Natola wrote: > I'm a bit confused here (what else is new) is there a difference between > Challenge-Response and Sender address Verification? > > Some articles say "they are two -different animals" other say "yes they are > the same"
They are completely different animals. In terse summary Challenge Response sends a message to the probably forged sender address on received mail. An innocent victim of a forged message will receive this CR spam. My address is widely dispersed and often appears on forged email. I routinely get CR spam from sites using TMDA. I routinely respond to those challenges to enable the delivery of the original spam and viruses. CR is designed to reduce spam to a particular mailbox at the cost of producing spam to many, many other mailboxes. That is very rude. By contrast sender address verification never generates an email message. It cannot generate spam. What sender address verification does is to probe the address to verify that the sender will receive a bounce if the original message were undeliverable. If they will receive a bounce, without actually generating one, then message delivery continues. If the sender will not receive a bounce then message delivery fails at that point. This is not designed to block forgeries. This is designed to block invalid sender mail addresses. > Either way I do not intend to use CR- just wondering what, if any, are the > diff When you say TMDA everyone will immediately think challenge response because TMDA's primary functionality is CR. TMDA will also do other things too and some people, a minority, use it for those other features. But the majority use case for TMDA is for challenge response and that is the problem case. Bob
