Sender Address Verification considered harmful
(as an anti-spam technique, at least.)
Sender-address verification, also known as callback verification, is a technique to verify that mail is being sent with a valid envelope-sender return address. It is supported by Exim and Postfix, among others.
Some view this as a useful anti-spam technique. In my opinion, it’s not.
Spam/anti-spam is an adversarial “game”. Whenever you’re considering anti-spam techniques, it’s important to bear in mind game theory, and the possible countermeasures that spammers will respond with. Before SAV became prevalent, spam was often sent using entirely fake sender data; hence the initial attractiveness of SAV. Once SAV became worth evading, the spammers needed to find “real” sender addresses to evade it. And where’s the obvious place to find real addresses? On the list of target addresses they’re spamming!
Since the spam is now sent using forged sender addresses of “real” people, when a spam bounces (as much of it does), the bounce will be sent back not to an entirely fake address, but to a spam recipient’s address.
Hence, the spam recipients now get twice as much mail from each spam run – spam aimed at them, and bounce blowback from hundreds of spams aimed at others, forged to appear to be from them.
This is the obvious “next move” in response to SAV, which is one reason why we never implemented something like it in SpamAssassin.
On top of this — it doesn’t work well enough anymore. Verizon use SAV. Have you ever heard anyone talk about how great Verizon’s spam filtering is? Didn’t think so.
(This post is a little late, given that SAV has been used for years now, but better late than never ;)
By the way, it’s worth noting that it’s still marginally acceptable to use SAV as a general email acceptance policy for your site — ie. as a way to assert that you’re not going to accept mail from people who won’t accept mail to the envelope sender address used to deliver it. Just don’t be fooled into thinking it’s helping the spam problem, or is helping anyone else but yourself.
Finally, this Sender Address Verification is different from what Sendio calls Sender Address Verification. That’s just challenge-response, which is crap for an entirely different, and much worse, set of reasons.
Tags: anti-spam, exim, game-theory, mail, mtas, postfix, sav, sender-address-verification, smtp
Tony Finch said,
March 16, 2007 @ 2:17 pm
As you know (because we’ve discussed it elsewhere) I would also note that call-back verification also has a fairly high false-positive rate, especially for transactional email from web sites - where false positives can be particularly annoying and difficult to resolve since there isn’t a human at the other end who can fall back to non-email communication.
adam said,
March 16, 2007 @ 2:33 pm
I have to admit I wasn’t even aware of this until recently, when I noticed mail sticking in my queues for rather odd reasons, and googled the errors. I really can’t understand why ideas like this keep popping up; the developers just don’t seem to have the gumption to think like a spammer, which is pretty sad when that’s where they should be /starting/.
Don’t get me started on challenge-response. I just dump these myself, and I have to admit having been tempted to dump them for my customers too. If only it were that easy…
ben said,
March 16, 2007 @ 6:43 pm
“Considered Harmful” Essays Considered Harmful
Justin said,
March 16, 2007 @ 7:29 pm
That ”Considered Harmful’ Essays Considered Harmful’ essay is full of silly hand-wavy assertions:
‘The problem is that “considered harmful” essays rarely, if ever, have the intended effect of weakening support for whatever it is they consider harmful.’
a PROVEN FACT, no doubt!
‘”Considered harmful” essays are not only a sad cliche at this stage of the game, they are counter-productive to reasoned debate and most often do far more harm than good to whatever cause they promote. It would therefore seem obvious that the only intelligent course of action is to abandon their use entirely, and instead look to more constructive forms of essay writing in the support of debate positions. ‘
this is slightly deflated by the fact that it itself appears in a “Considered Harmful” essay. ;)
ben said,
March 16, 2007 @ 8:03 pm
I didn’t even read it, actually, I just meant it alanically.
Will Chenoweth said,
August 5, 2007 @ 4:20 pm
I am confused by the SAV. How would I make it work? Where do I put it? I currently use disposable email addresses which is limited in a some ways.
Tim said,
January 23, 2008 @ 11:00 am
“where false positives can be particularly annoying and difficult to resolve since there isn’t a human at the other end who can fall back to non-email communication.”
Why would I want to accept a mail from a site that thinks it can spew mails willy-nilly without checking for bounces? It indicates nothing more than a lackadaisical approach to the web-application or mail-server in question.