Friday, June 29, 2007
Sender Address Verification we told you so
When we started seeing SMTP callbacks, aka "Sender Address Verification," several members of news.admin.net-abuse.email, including myself, said it was a Bad Idea.
It's trivially easy to get around SAV. The spammer just puts known deliverable addresses in his envelope-sender. Of course he needs to use thousands or millions of those in each spam run, to evade statistical filters. I'm surprised it took until now for them to figure that out. And because they have to be deliverable, it takes a higher quality list for the fake senders than for the spam recipients.
Meanwhile, there are still a lot of "anti-spam appliances" and other broken SMTP servers that accept and return messages to bad addresses, rather than refusing them. But you can't return spam once you've accepted it into your queue. You don't have an address for the spammer, and he isn't interested anyway. So the returned spam messages become a new form of spam known as "backscatter." Until recently, the Barracuda appliance in its default configuration sent backscatter. They've fixed that. Qmail-1.03 sends backscatter. There are patches for that. One popular Qmail backscatter patch is called "chkuser."
Two unforseen consequences combine for another harm. 1. SAV is becoming popular. 2. Backscatter. The backscatter used to go to the same poor quality address lists the spammers send to. So most of it never got delivered; it stuck in the Barracuda appliance or Qmail queue. But now it's getting delivered, adding to the spam load and degrading the statistical filtering results.
Not only are spammers destroying the public email system, but misguided Final Ultimate Solutions (FUSSPs) are damaging it too.
It's trivially easy to get around SAV. The spammer just puts known deliverable addresses in his envelope-sender. Of course he needs to use thousands or millions of those in each spam run, to evade statistical filters. I'm surprised it took until now for them to figure that out. And because they have to be deliverable, it takes a higher quality list for the fake senders than for the spam recipients.
Meanwhile, there are still a lot of "anti-spam appliances" and other broken SMTP servers that accept and return messages to bad addresses, rather than refusing them. But you can't return spam once you've accepted it into your queue. You don't have an address for the spammer, and he isn't interested anyway. So the returned spam messages become a new form of spam known as "backscatter." Until recently, the Barracuda appliance in its default configuration sent backscatter. They've fixed that. Qmail-1.03 sends backscatter. There are patches for that. One popular Qmail backscatter patch is called "chkuser."
Two unforseen consequences combine for another harm. 1. SAV is becoming popular. 2. Backscatter. The backscatter used to go to the same poor quality address lists the spammers send to. So most of it never got delivered; it stuck in the Barracuda appliance or Qmail queue. But now it's getting delivered, adding to the spam load and degrading the statistical filtering results.
Not only are spammers destroying the public email system, but misguided Final Ultimate Solutions (FUSSPs) are damaging it too.
Comments:
<< Home
... and of course the effect of this is to render anyone with a wildcard domain vulnerable to receipt of literally thousands of "bounced" messages. Basically, at this point, no rational person sets up their email with a "catch all" address, because it becomes a major spam target. This is a significant inconvenience for folks used to being able to create addresses on the fly, either in content, or when registering on a site.
It also creates major hassles for individual users who wake up in the morning and find their email inboxes clogged with hundreds of bounced messages, and don't understand why this is happening.
Post a Comment
It also creates major hassles for individual users who wake up in the morning and find their email inboxes clogged with hundreds of bounced messages, and don't understand why this is happening.
<< Home
