From: "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com>
With your method, while excellent, you still able to
pass undetected spam to users. Right?
Correct. With a relaxed SPF result, and not one of the domains
already required to be strict. You see, there are still users
on small domains that send mail from laptops at hotels without
SMTP AUTH.
You don't require your roaming uses to be authorized by SMTP AUTH? how about
POP before SMTP? I guess, you would only allow local mail submissions
only, right? <g>
But here is the next thing I do. When accepting
a relaxed result, I send a dsn. If the DSN is not accepted,
I reject the mail. This weeds out obvious forgeries where the sender
email doesn't even exist. If the DSN is accepted, I log who I
have sent DSNs to, and send them another one every month to
nag them a bit to secure their system. Here is the template
for the softfail DSN:
What's your experience on the feedback on this?
Do you see some changing?
Do you send it every month regardless if they have not sent mail within 1-2
months?? Or do you wait until the next message for the next month?
Do you expire them? after so many months?
I mean if I haven't send you mail in 3-4 months. Why nag them?
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com