On Fri, Apr 27, 2007 at 09:10:14PM +0200, dan1 wrote:
Hello, all.
Thanks to your suggestions, I have now been able to rewrite our E-card
service so that it is compliant with SPF.
It seems to be going through the SPF as stated by one of our complaining
customer.
If you would be willing to add it to the SPF-compliant E-card services, I
would be pleased.. the link is www.edenpics.com, and there is no banner, spam
lists, spies or anything..
It was quite combersome, because I had to handle the bounces back, which is
all that is difficult when we change the sender address. This is very
important, else people won't know that their e-card was not received. I had
to scratch my head some hours to be able to make it work the right way, but
using sendmail and smrsh I finally got it with a php script.
I'm afraid you have a little more to do.
You are _not_ handling bounces. You are offloading that job to some
random user whose email address was selected by the person abusing your
service.
For educational purposes I'm going to send you a bounce. I'm sure you'll
understand.
Apr 27 22:06:17 a postfix/smtpd[4266]: connect from edenpics.com[154.37.1.234]
Apr 27 22:06:25 a postfix/smtpd[4266]: NOQUEUE: reject: RCPT from
edenpics.com[154.37.1.234]: 550 <$rcpt_email_address_deleted>: Recipient
address rejected: User unknown in local recipient table;
from=<ecard-bounce(_at_)edenpics(_dot_)com> to=<$rcpt_email_address_deleted>
proto=ESMTP helo=<anoigo.edenpics.com>
Apr 27 22:06:37 a postfix/smtpd[4268]: connect from edenpics.com[154.37.1.234]
Apr 27 22:06:37 a postfix/smtpd[4268]: NOQUEUE: reject: RCPT from
edenpics.com[154.37.1.234]: 550 <$sender_email_address_deleted>: Recipient
address rejected: User unknown in local recipient table;
from=<mail(_at_)anoigo(_dot_)edenpics(_dot_)com>
to=<$sender_email_address_deleted> proto=ESMTP helo=<anoigo.edenpics.com>
At least now it is you sending this misdirected bounce, not some other
random user also being selected by the abuser.
Not related to this list, but a recommendation anyway:
Ask people to confirm their email address by confirmed opt-in. It could work
like so:
[note: by "cookie" I do not mean a browser cookie, but a semi-random string
which is not easily guessed and changes depending on the user's email address,
time of day, etc.]
1) display some cookie on your site.
2) user sends an email, containing the cookie, to a special mailbox at your
site, asking to become a member.
3) you send an email back, containing another cookie, asking the user to
confirm. Do explain that someone asked for your invite, and be sorry if the
user at ip address ppp.qqq.rrr.sss abused your service. Show headers, so that
the victim can complain to the abuser instead of to you.
4) user replies with the 2nd cookie, thereby confirming that he does actually
use the email address he entered on your site.
5) Return a password to the user.
6) Let the user login, using his email address and the password.
The 1st cookie is to hinder spambots and alike.
The 2nd cookie is to protect your own service from bad guys abusing your
service. This cookie has to be secure, it should not be easily guessed.
HTH
Alex
-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com