Charles Gregory wrote: > On Fri, 24 Apr 2009, Adam Katz wrote: >> I read recently that that's a Bad Thing (and I'm leaning on agreeing): >> http://www.backscatterer.org/?target=sendercallouts > > The most compelling argument on that site is one that almost slips by > un-noticed. A spammer could very well forge a honeypot as a sender > address, causing my system to 'send mail' (a verify) to a honeypot, and > possibly get blacklisted. And this would also open up a way for spammers > to 'poison' honey pots by having them blacklist so many legitimate > servers that the blacklists have to be thrown out.... Ouch.
Actually, that's referring to backscatter itself. You should never send bounce messages, challenge-response, vacation messages, or other automated responses to external accounts via email. It should be done with SMTP codes during the initial transaction. See: http://www.spamcop.net/fom-serve/cache/329.html http://en.wikipedia.org/wiki/Backscatter_spam and of course, the rest of the www.backscatterer.org site. The more pressing point (since fixing the one you mentioned is pretty simple) is that when you use a call to a sender's MX record and either use SMTP's VRFY command or pretend to begin a message, you're wasting their bandwidth and even acting like a spammer yourself. In extreme cases, this is also an accidental DDoS attack. A spammer aware of such mechanisms can use SAV-enabled servers LIKE YOURS to purposefully launch DDoS attacks against whomever they're forging.