Sender Address Verification considered harmful

(as an anti-spam technique, at least.)

Sender-address verification, also known as callback verification, is a technique to verify that mail is being sent with a valid envelope-sender return address. It is supported by Exim and Postfix, among others.

Some view this as a useful anti-spam technique. In my opinion, it’s not.

Spam/anti-spam is an adversarial “game”. Whenever you’re considering anti-spam techniques, it’s important to bear in mind game theory, and the possible countermeasures that spammers will respond with. Before SAV became prevalent, spam was often sent using entirely fake sender data; hence the initial attractiveness of SAV. Once SAV became worth evading, the spammers needed to find “real” sender addresses to evade it. And where’s the obvious place to find real addresses? On the list of target addresses they’re spamming!

Since the spam is now sent using forged sender addresses of “real” people, when a spam bounces (as much of it does), the bounce will be sent back not to an entirely fake address, but to a spam recipient’s address.

Hence, the spam recipients now get twice as much mail from each spam run – spam aimed at them, and bounce blowback from hundreds of spams aimed at others, forged to appear to be from them.

This is the obvious “next move” in response to SAV, which is one reason why we never implemented something like it in SpamAssassin.

On top of this — it doesn’t work well enough anymore. Verizon use SAV. Have you ever heard anyone talk about how great Verizon’s spam filtering is? Didn’t think so.

(This post is a little late, given that SAV has been used for years now, but better late than never ;)

By the way, it’s worth noting that it’s still marginally acceptable to use SAV as a general email acceptance policy for your site — ie. as a way to assert that you’re not going to accept mail from people who won’t accept mail to the envelope sender address used to deliver it. Just don’t be fooled into thinking it’s helping the spam problem, or is helping anyone else but yourself.

Finally, this Sender Address Verification is different from what Sendio calls Sender Address Verification. That’s just challenge-response, which is crap for an entirely different, and much worse, set of reasons.

This entry was posted in Uncategorized and tagged , , , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

22 Comments

  1. Posted March 16, 2007 at 14:17 | Permalink

    As you know (because we’ve discussed it elsewhere) I would also note that call-back verification also has a fairly high false-positive rate, especially for transactional email from web sites – where false positives can be particularly annoying and difficult to resolve since there isn’t a human at the other end who can fall back to non-email communication.

  2. Posted March 16, 2007 at 14:33 | Permalink

    I have to admit I wasn’t even aware of this until recently, when I noticed mail sticking in my queues for rather odd reasons, and googled the errors. I really can’t understand why ideas like this keep popping up; the developers just don’t seem to have the gumption to think like a spammer, which is pretty sad when that’s where they should be /starting/.

    Don’t get me started on challenge-response. I just dump these myself, and I have to admit having been tempted to dump them for my customers too. If only it were that easy…

  3. ben
    Posted March 16, 2007 at 18:43 | Permalink
  4. Posted March 16, 2007 at 19:29 | Permalink

    That ”Considered Harmful’ Essays Considered Harmful’ essay is full of silly hand-wavy assertions:

    ‘The problem is that “considered harmful” essays rarely, if ever, have the intended effect of weakening support for whatever it is they consider harmful.’

    a PROVEN FACT, no doubt!

    ‘”Considered harmful” essays are not only a sad cliche at this stage of the game, they are counter-productive to reasoned debate and most often do far more harm than good to whatever cause they promote. It would therefore seem obvious that the only intelligent course of action is to abandon their use entirely, and instead look to more constructive forms of essay writing in the support of debate positions. ‘

    this is slightly deflated by the fact that it itself appears in a “Considered Harmful” essay. ;)

  5. ben
    Posted March 16, 2007 at 20:03 | Permalink

    I didn’t even read it, actually, I just meant it alanically.

  6. Posted August 5, 2007 at 16:20 | Permalink

    I am confused by the SAV. How would I make it work? Where do I put it? I currently use disposable email addresses which is limited in a some ways.

  7. Posted January 23, 2008 at 11:00 | Permalink

    “where false positives can be particularly annoying and difficult to resolve since there isn’t a human at the other end who can fall back to non-email communication.”

    Why would I want to accept a mail from a site that thinks it can spew mails willy-nilly without checking for bounces? It indicates nothing more than a lackadaisical approach to the web-application or mail-server in question.

  8. TIMMY!
    Posted July 26, 2008 at 00:20 | Permalink

    Google ad at the top of this article, kind of funny in contrast to the atricle topic.

    “Free Trial – Mass Email” “99% Delivery Rates. Secure, Easy, & Feature-Packed. (Free Trial)! ” “www.xyzabcde.com/Mass” (name deleted, they are spam enablers after all)

  9. Posted July 29, 2008 at 23:53 | Permalink

    @Timmy: could you mail me the ad URL to jm at jmason.org? I can add bad advertisers to a blocklist, but that ad isn’t showing up for me…

  10. Posted January 31, 2009 at 02:21 | Permalink

    Why would I want to accept a mail from a site that thinks it can spew mails willy-nilly without checking for bounces? It indicates nothing more than a lackadaisical approach to the web-application or mail-server in question.

  11. Posted March 10, 2009 at 05:16 | Permalink

    Justin,

    As someone who uses SAV I have to mostly disagree with you. First yes using SAV as determinative by itself would lead to false positives. However when combined with other tests it is extremely accurate. The trick with SAV is to do it right. You also assert that spammers could use real email addresses to defeat SAV. If this were true then they would be doing it. But the reality is that they aren’t. One of the reasons they aren’t is because most spam comes from botnets and the overhead of managing and distributing such lists to virus botnets would make the botnet less effective. In reality, spammers don’t have lists of good recipients let alone good senders.

    I think it would be more accurate to say that you don’t know how to implement SAV correctly rather than conclude it doesn’t work or is abusive. But you are a Spamassassin guy and I agree that SAV wouldn’t be useful in Spamassassin. However using it at the MTA level, in Exim, it is extremely useful.

    BTW – on a side note – i you used a darker color for your comment text people could read it better.

  12. Verrice
    Posted March 26, 2009 at 14:42 | Permalink

    Marc,

    I’m sorry but you ruined your credibility by saying: “You also assert that spammers could use real email addresses to defeat SAV. If this were true then they would be doing it. But the reality is that they aren’t. One of the reasons they aren’t is because most spam comes from botnets and the overhead of managing and distributing such lists to virus botnets would make the botnet less effective. In reality, spammers don’t have lists of good recipients let alone good senders.”

    Spammers definitely, without a shadow of a doubt, use their good-lists as sender addresses. Get a hotmail account and start registering it on every web site you find. Before long you’ll start to get email from real, valid addresses, and if you’re patient enough, you’ll eventually get one from yourself, or a bounce back as though you sent a spam message.

    Just because you believe something, doesn’t make it true. In this case, you’re dead-wrong. Sorry…

  13. Posted March 26, 2009 at 15:36 | Permalink

    But I am not dead wrong. some might try to use good lists by for the most part it’s virus bots sending and these bots don’t have big lists of good senders. They tent to use domains that accept wild card addresses and pass sender verification.

    Although there are some sender addresses that are good the vast majority are not.

  14. Verrice
    Posted March 26, 2009 at 15:44 | Permalink

    Believe what you wish Marc. Yes some are bogus, but simply because the good-list is out of date. The spammers aren’t going through the trouble to make up names that look like real people’s.

    The fact is, spammers use the names and addresses on their ‘good-list’ to pose as the sender. There is no debate there, and to refute it would be silly. Updating the viral list is simple, because they don’t push the updates, the bots pull them as needed. As for the quality of their lists… well the market isn’t exactly tops on the regulations list, so yeah, there’s going to be a lot of bad addresses in their lists. There’s a whole industry around creating and updating these ‘good-lists’.

    So, sorry, still wrong… :P

  15. Posted March 26, 2009 at 16:02 | Permalink

    If I were wrong then I wouldn’t be receiving millions of emails a day from addresses that don’t exist. You can theorize about what spammers could do but I’m right about what spammers are doing.

  16. Verrice
    Posted March 26, 2009 at 16:05 | Permalink

    Haha, I didn’t say they DON’T use bogus addresses. Seems to me you’re the one theorizing. Enjoy your spam, and eventual blacklisting for sending pansy confirmation letters back to unwitting victims of spoofed emails.

  17. Verrice
    Posted March 26, 2009 at 16:07 | Permalink

    Oh wait… you work for a company that makes an SAV product, don’t you?! Ahhhhh, and suddenly the picture becomes clear. To quote another who quoted another…

    “It is difficult to get a man to understand something when his salary depends upon his not understanding it.”

    – Upton Sinclair

  18. Posted March 26, 2009 at 16:21 | Permalink

    I own a company that uses SAV. The reason I use SAV is because it actually works. If it didn’t work I wouldn’t use it. For example SPF is a technology that’s out there that doesn’t work. So I don’t use it. If however I found a use for SPF then I would use it. For me it’s all about that works and SAV works.

    One does have to know how to do it right. I will agree that if you block ONLY on SAV you’ll get false positives. But when you combine SAV with other technologies it is a very strong indicator of spam.

  19. Albert Meyer
    Posted April 29, 2009 at 22:07 | Permalink

    Marc Perkel… where have I heard that name before? Oh yeah, that’s the jackass that repeatedly vandalized the wikipedia article about SAV by removing all of the information about the problems it creates.

    http://en.wikipedia.org/wiki/Talk:Callback_verification

  20. Kamers
    Posted October 6, 2009 at 00:18 | Permalink

    Hi. I am not in this the “love” or “hate” game. It would just be great to understand what is REALLY so bad about SAV (so maybe we could not use it). The only reasonable argument I have seem so far is the risk of beeing abused in a DDoS. If someone can send millions of emails from smtp servers with SPF and valid (spoofed) mails, why all this blamming on bounces or SAVs? The DDoS could be done without bounces or SAVs. Regards

  21. H. Forcelledo
    Posted January 15, 2012 at 21:39 | Permalink

    For over 12 years ive been implementing POSTINI for clients and was a god sent from day 1. Youd figure that whatever technlogy they use wouldve filtered down by now to be implemented at a user level but oogatZ! I just had an account closed by my ISP cause the bounce back were in the thousands – their solution “Kill the account” I am PRETTY sure that something on the email header can be used to match the reply to to the actial sender or hell…. do away with the reply to: ! at what point was this a good idea? BTW Postini still had a 40 user minimum at $1.00 a month not a bad deal for a smal enterprise but , sole users are up the creek.

  22. René Rømer
    Posted May 26, 2013 at 09:41 | Permalink

    If I only got the e-mail address – allocca231grs@hotmail.com – shown on a mail that I have received via ebay mail system. How can you or I find the physical address of this person. The person should be located in Italy.

    Reason for asking is, that I have – yes stupid as I am – transferred an amount to a bank in Dublin, owned by the person in Italy, and not received the object. eBay in Italy don’t have the samt “Protection” program as US / Germany / UK got.

    Hope you can help me out, or know someone who can.

    Thank sin advance.

    René