Wandering Thoughts archives

2006-12-21

Something to avoid in callback email address verification

Here's something I would like to grind into various people programming callback email address verification:

Don't do callback email address verification with a MAIL FROM of <> unless the address has actually sent you email.

Why? Because if an address never sends any email to start with, it may not be willing to receive bounces (the major source of email from <>). Blocking null MAIL FROMs from sending email to such addresses is a completely rational way to block bad bounces from forged spam runs.

The people doing this that make me really grind my teeth are SourceForge, who insist that both the origin address of the email and postmaster be willing to accept mail from <>. Our postmaster address is often forged on spam and never sends email, so we would really like to refuse bounces to it. Unfortunately mailing to SourceForge hosted mailing lists is somewhat more important, although we have been known to keep postmaster blocked most of the time and manually unblock it when necessary.

Not that callback email address verification is a good idea in general. But if people are going to implement a non-good idea, I'd like them to do it in a way that doesn't make me grind my teeth in their direction.

(Although every now and then I am tempted to hack something into our mailer configuration to auto-accept every address verification attempt from certain annoying places, like Earthlink and Verizon, no matter whether or not the address actually exists. (If they actually send email, we can refuse it at the DATA phase or something.))

spam/CallbackCheckDont written at 23:22:43; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.