At 20:55 -1000 on 2005/03/07, Peter Kay wrote:
Has anyone else had problems with [verizon's attempts at sender address
verification]? I did quick check on their site and didn't find anything.
Heh, you should not expect Verizon, a provider that in the aggregate sends
much spam due to their poor control of their own network, to trumpet the
brokenness of their own anti-spam measures.
That brokenness is inherent, and is exacerbated by Verizon's attempts being
assymetric in IP space as well as in email address space. Their assymetry
neatly dodges reciprocal whitelists, in both IP space and email address
space.
Given the spam DoS load that Verizon's networks present to our servers, we
necessarily have Verizon's domain and networks blocklisted, except for
specific addresses our users have individually whitelisted. Given
Verizon's demonstrated lack of control of their own network, that is a
reasonable and prudent anti-spam measure.
Furthermore, when one of our users sends mail to Verizon, we can set up
additional reciprocal whitelists to allow replies from both the destination
network and the destination email address. Sadly for Verizon, their
misguided attempt at sender address verification dodges both.
Rather than attempting their "verification" from the same network as the
destination MX, they connect from an entirely different network, thus
missing the whitelisting.
Worse, rather than using the original recipient's email address as the MAIL
FROM in their verification attempt, they pick something nonsensical and
spammer-like, missing that whitelisting as well.
Add in their attempts to "verify" forged sender addresses, and they have an
even bigger problem. They're constantly making unsolicited
address-guessing connections to our servers.
So, in essence, Verizon is not doing sender address verification. They're
instead attempting what looks like nothing more than a dictionary attack
against our servers.
After a certain number of bogus address attempts, this escalates their
blocklist entries to the firewall, by design trumping all whitelisting they
might otherwise have been granted.
The end result is they have, by design or incompetence, totally shut down
mail to their users from those not-spam networks who have to generally
block address-guessing attacks and the ongoing spam load emanating from
Verizon's networks.
Have there been any BCP or equivalent on email address verification? I
haven't easily found any.
The BCP is: Don't try to do sender address verification. You almost
certainly can't do it right.
Even if you don't make Verizon's very braindead mistakes, you can't connect
out-of-band from the original SMTP connection and hope to retain or
regenerate enough state to tell whether a given FROM and TO pair of IPs and
email addresses will work symmetrically.
Richard
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg