"Friends Only"

mikea mikea at mikea.ath.cx
Mon Oct 2 16:23:13 IST 2006 

On Mon, Oct 02, 2006 at 03:55:17PM +0100, Martin Hepworth wrote:
> Matt Hampton wrote:
> > Greg Borders wrote:
> >> Greetings list-mates,

> >> The PHB's have discovered the ability of some mail systems that require
> >> you to "validate" your address before they will accept messages, thus
> >> avoiding SPAM.  Example, surgemail has a "Friends System"
> >> http://netwinsite.com/surgemail/friends.htm, and eMoustTrap has a
> >> package that sits between the MTA and MUA and does the authentication.

> >> Yippie yay, now they want it too. -_-

> >> Without wanting to spark any further heated debates on autoresponders, 
> >> I wanted to query the group and see if there was any slick bolt-ons for
> >> sendmail / MailScanner / Mailwatch out there that might take advantage
> >> of some whitelisting mechanisms we already have.  I can see potential of
> >> a custom script within MailScanner that could send a subscribe/verify
> >> message, and then auto-add to a whitelist upon receiving a proper
> >> response from the human sender.

> > Before you go down this router - try milter-sender (or I have a perl
> > replacement if you are interested) which checks that the email address
> > is accepted by the MX's for the domain before accepting it.  I have
> > found a 60% reduction in crud before it gets as far as MailScanner.

> > I would highly recommend doing this even if you are wanting to go down
> > the auto responder route and I would also suggest that the auto
> > responder is placed AFTER MailScanner as it would ensure that the
> > majority of Spam is removed before sending more crap to the joe jobbed
> > addresses.

> > You will also need to ensure that the email is sent from a different IP
> > than your outbound email as it will only take about a week before you
> > will be in SpamCop.

> And of course this auto resonder 'annoys' people when they get the 
> autoresponder emailing them when they never sent you a message in the 
> first place..(bit like bouncing spam, autoresonders are a bad idea).

> http://spamlinks.net/prevent-secure-backscatter-fake.htm
> (for one of many good links on why bouncing spam/autoresponders are a 
> bad idea).

As regards autoresponders: if you autorespond to spam with forged 
headers and envelope senders, those responses are: 
o	unsolicited
o	bulk
o	E-mail
which is how a great many mailadmins define spam. 

You'll wind up in their bl[oa]cklists as a result, which I strongly 
suspect is _directly_ contrary to the desires of your PHBs. At best,
Challenge/Response (or C/R) systems are not a _good_ idea, and in the
present environment, they're a Very Bad Idea Indeed. 

-- 
Mike Andrews, W5EGO
mikea at mikea.ath.cx
Tired old sysadmin

More information about the MailScanner mailing list