<mode="coming out of lurk" style="assertive">
Ok, I have watched this thread on Certified Mail Delivery agents with a
deepening sadness. That sadness already tangibly manifested itself upon
reading the first few lines of this ungodly spun: "The way it works is that
a database 'whitelist' is maintained of all the legitimate e-mail addresses
that have passed through an e-mail server/gateway."
I hate to burst someone's bubble, but this whole concept is flawed from the
get-go. For one, because there is no such thing as a "legitimate email
address," excepts its RFC 821 required form perhaps. A quick visit at
sendmail.org will already tell you why authenticating on email-address is a
pretty lame idea.
An email address can be so easily forged, that speaking of "forgery" itself
is already misleading. At best, an email address is a string of your choice
used as part of an SMTP communication. It has no legitimacy of its own,
hence there is inherently no such thing as a "legitimate email address" at
all; except, like I said, its format maybe.
That "whitelist" is actually not a whitelist at all, but ere an
unprecedented invitation to send you SPAM. :) You may think you are playing
it safe when you are individually allowing email addresses from, say,
"hisdomain.com"; but what you have in fact done, is allow spammers access to
your mailbox with a key that can be created as easily as typing an email
address.
The truly amazing part of this whole ill-begotten idea, is the fact that
your requests for confirmation are themselves unsolicited email! You think a
mailing list owner is waiting for an automated email from you, asking him
permission to send you mail from a mailing list you yourself voluntarily
subscribed to? Think again. In fact, you would be spamming him, as he made
no request on you of any kind (only vice versa); not the mention that you
are asking him to gracefully back your indulgence to be a allowed to send
you copies of his list. Yeah, right.
Then there is the technical aspect of things. Finding the proper return
address is quite a feat; the envelope address you say? Nah, is likely a
custom return-address for the mailing list. In an ideal world, the proper
return address should be known. But what is "proper" in this context?
Especially on a mailing list, a participant is said to be the sender, so
that his name will show up in your inbox. And this is not wrong even, as
that participant is indeed the one who wrote the article. But what is
technically the return address may greatly differ. So, either you send a
confirmation request to the poster (who should certainly NOT receive it, as,
for your purposes, the list is the one who needs authentication,) or you
send it to a return address belonging to the list, ticking off a few people
on that end.
I could go on for a while...
In my estimation, there is hardly ever a valid reason to try and
"authenticate" based on email address. The current sendmails do a quick
check to see whether the domain of your email address actually resolves; but
that is more a convenience for the sender really, a protection against
himself for possible typos. I know sendmail allows "From:" in the access
database, to allow rejection or relay and such based on the envelope-from.
But if you really want to stop SPAM, use legitimate anti-SPAM provisions
(like MAPS RBL and such).
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
</mode="coming out of lurk">
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail