[Gllug] Hotmail's new "Caller ID for email" ... what is this?

[David Damerell]

On Wednesday, 25 Feb 2004, Richard Jones wrote:
>To answer my own question ... the following article is a bit more
>clueful:
>http://www.eweek.com/article2/0,4149,1537921,00.asp

"One difference between the schemes is that with Caller ID the entire
message is read, allowing the comparison to the valid sender addresses
to be performed against the full header information. This could allow
for a better analysis, and opens up the possibility that a modified
e-mail client could be involved in the decision-making."

This is a terrible idea right away. It's much better to reject
messages at SMTP transaction time, because then a legitimate sender
who has some problem with their configuration is almost guaranteed to
find out that their message was rejected, and can correct matters. If
a message with a bogus Return-Path: is accepted and bounced later, you
get a bounced bounce and the sender never finds out.

[I'm assuming that Microsoft's scheme does not reject after DATA but
still during SMTP, since "the possibility that a modified e-mail
client could be involved in the decision-making" implies not.]

The article neglects to mention the thing common to all
authorised-sender schemes; it will be essentially forever until
everyone publishes this data, and so for the forseeable future the
best result one will get is that if you publish this data you'll get
less woe from being joe-jobbed, and if you check it where it does
exist you won't get some joe-job spam; it will not be practical to
reject mail where this data does not exist for many years. The best
one could do is use the lack of it as a negative point in a
spamassasin-style scoring system.

-- 
David Damerell <damerell at chiark.greenend.org.uk> Kill the tomato!
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug