Comments on: Sender Address Verification considered harmful

By: H. Forcelledo

H. Forcelledo — Sun, 15 Jan 2012 20:39:26 +0000

For over 12 years ive been implementing POSTINI for clients and was a god sent from day 1. Youd figure that whatever technlogy they use wouldve filtered down by now to be implemented at a user level but oogatZ! I just had an account closed by my ISP cause the bounce back were in the thousands – their solution “Kill the account” I am PRETTY sure that something on the email header can be used to match the reply to to the actial sender or hell…. do away with the reply to: ! at what point was this a good idea? BTW Postini still had a 40 user minimum at $1.00 a month not a bad deal for a smal enterprise but , sole users are up the creek.

By: Kamers

Kamers — Mon, 05 Oct 2009 23:18:29 +0000

Hi. I am not in this the “love” or “hate” game. It would just be great to understand what is REALLY so bad about SAV (so maybe we could not use it). The only reasonable argument I have seem so far is the risk of beeing abused in a DDoS. If someone can send millions of emails from smtp servers with SPF and valid (spoofed) mails, why all this blamming on bounces or SAVs? The DDoS could be done without bounces or SAVs. Regards

By: Albert Meyer

Albert Meyer — Wed, 29 Apr 2009 21:07:02 +0000

Marc Perkel… where have I heard that name before? Oh yeah, that’s the jackass that repeatedly vandalized the wikipedia article about SAV by removing all of the information about the problems it creates.

http://en.wikipedia.org/wiki/Talk:Callback_verification

By: Marc Perkel

Marc Perkel — Thu, 26 Mar 2009 15:21:39 +0000

I own a company that uses SAV. The reason I use SAV is because it actually works. If it didn't work I wouldn't use it. For example SPF is a technology that's out there that doesn't work. So I don't use it. If however I found a use for SPF then I would use it. For me it's all about that works and SAV works.

One does have to know how to do it right. I will agree that if you block ONLY on SAV you'll get false positives. But when you combine SAV with other technologies it is a very strong indicator of spam.

By: Verrice

Verrice — Thu, 26 Mar 2009 15:07:45 +0000

Oh wait... you work for a company that makes an SAV product, don't you?! Ahhhhh, and suddenly the picture becomes clear. To quote another who quoted another...

"It is difficult to get a man to understand something when his salary depends upon his not understanding it."

-- Upton Sinclair

By: Verrice

Verrice — Thu, 26 Mar 2009 15:05:24 +0000

Haha, I didn’t say they DON’T use bogus addresses. Seems to me you’re the one theorizing. Enjoy your spam, and eventual blacklisting for sending pansy confirmation letters back to unwitting victims of spoofed emails.

By: Marc Perkel

Marc Perkel — Thu, 26 Mar 2009 15:02:46 +0000

If I were wrong then I wouldn’t be receiving millions of emails a day from addresses that don’t exist. You can theorize about what spammers could do but I’m right about what spammers are doing.

By: Verrice

Verrice — Thu, 26 Mar 2009 14:44:23 +0000

Believe what you wish Marc. Yes some are bogus, but simply because the good-list is out of date. The spammers aren't going through the trouble to make up names that look like real people's.

The fact is, spammers use the names and addresses on their 'good-list' to pose as the sender. There is no debate there, and to refute it would be silly. Updating the viral list is simple, because they don't push the updates, the bots pull them as needed. As for the quality of their lists... well the market isn't exactly tops on the regulations list, so yeah, there's going to be a lot of bad addresses in their lists. There's a whole industry around creating and updating these 'good-lists'.

So, sorry, still wrong... :P

By: Marc Perkel

Marc Perkel — Thu, 26 Mar 2009 14:36:12 +0000

But I am not dead wrong. some might try to use good lists by for the most part it's virus bots sending and these bots don't have big lists of good senders. They tent to use domains that accept wild card addresses and pass sender verification.

Although there are some sender addresses that are good the vast majority are not.

By: Verrice

Verrice — Thu, 26 Mar 2009 13:42:53 +0000

Marc,

I'm sorry but you ruined your credibility by saying: "You also assert that spammers could use real email addresses to defeat SAV. If this were true then they would be doing it. But the reality is that they aren’t. One of the reasons they aren’t is because most spam comes from botnets and the overhead of managing and distributing such lists to virus botnets would make the botnet less effective. In reality, spammers don’t have lists of good recipients let alone good senders."

Spammers definitely, without a shadow of a doubt, use their good-lists as sender addresses. Get a hotmail account and start registering it on every web site you find. Before long you'll start to get email from real, valid addresses, and if you're patient enough, you'll eventually get one from yourself, or a bounce back as though you sent a spam message.

Just because you believe something, doesn't make it true. In this case, you're dead-wrong. Sorry...