On 2010-08-12 12:58:51 -0400, Hector Santos wrote:
Paul Smith wrote:
On 12/08/2010 14:28, Rosenwald, Jordan wrote:
True statement, but that means the senders of the other 5% are now left
in the dark as to what happened to their mail.
Is there a proposed solution to that?
Maybe we just recommend sending NDNs to people if their email is DKIMed
or if it came from a server matching SPF rules, or if the return path
It's better than never sending them at all, and those provisions make
it reasonably certain that the sender's email address wasn't forged.
Also, it might encourage people to put in place the anti-forgery methods.
In our implementation, we use CBV (Callback Verification) and this
resolves at least 50%, 70% to even has high as 90% of the "bad" MAIL
FROM: problem. Currently it is among the highest filter in our suite of
Apart from other objections agains CBV, this only removes those cases
which were mostly harmless in the first place: If the forged sender
doesn't exist, the NDN cannot be delivered and will be silently
discarded (or sent to a local "double bounce" address where they will
probably be ignored ;-)). If the forged sender *does* exist, CBV won't
detect that it is forged and an NDN may be sent to the hapless victim of
the forgery. SPF, DKIM, BATV, etc. do a better job guarding against
_ | Peter J. Holzer | Openmoko has already embedded
|_|_) | Sysadmin WSR | voting system.
| | | hjp(_at_)hjp(_dot_)at | Named "If you want it -- write it"
__/ | http://www.hjp.at/ | -- Ilja O. on
Description: Digital signature