Backscatter by Sender Callouts (Sender Verify / SAV) - Why it is abusive
This is for all persons who think SENDER CALLOUTS are viable. We will explain why we consider sender callouts abusive.
RFC821 and all following which obsoleted it meanwhile knows the command VRFY for testing an emailaddress exists.
Don't get fooled by those members of the Marc Perkel Brigade, which are defending SAV aka SENDER CALLOUTS aka SENDER VERIFY like it would be their properties.
Due to spammers were abusing the VRFY command for dictionary attacks, most Administrators have chosen to disable the good old VRFY command and that has lead to VRFY is almost always not
usable anymore nowadays.
Anyway this gives clear proof that most Administrators do not want others to test emailaddresses for existence at their systems.
You must therfore assume that if a system has the VRFY command disabled, then it is their policy to not allow testing for emailaddresses.
Unfortunatley there are always some people that wrongly believe rules would be valid for the others only.
Those came up with a really bad idea: Circumventing a "VRFY not allowed" policy by testing if emailaddresses exist at RCPT TO Level.
The very first people that did so were - no wonder - spammers that tried dictionary attacks that way.
One should believe that programmers of popular MTA's have read RFC 1087 (Ethics and the Internet) and that they would have enough ethics to not implement such abusive invetions made by spammers, not even as optional features, but some did it anyway.
At least the programmers of Postfix and Exim did implement those bad idea which is known as SAV aka SENDER VERIFY aka SENDER CALLOUTS, but did not enable it by default.
The fact that a stupid feature exists in a software doesn't mean you have to use it, and the fact that others are using such features doesn't make you less abusive if you enable SAV aka SENDER VERIFY
aka SENDER CALLOUTS.
You are in any way an abuser if you connect to any system that has VRFY disabled and you try to break or circumvent that "emailaddresses testing not allowed" policy by going up to RCPT TO
for testing an email address exists.
Those guys are just lamers, unable to build a working spam defense without abusing other systems with their callouts.
Here are more facts about Sender Callouts aka Sender Verify aka SAV or whatever you or your software vendor is calling that kind of abuse:
1.It is a try to break a systems "no testing allowed policy" and therfore abusive.
If you will ever manage to end up on a blacklist (not just ourlists) the SAV call will fail and your system will assume the sender of a legit email to you does not exist because that system
rejected your SAV call.
We and our users are defending our systems against that kind of abuse and that means by doing sender callouts you will have good chances to end up in our blacklist and you deserve it.
Possibly you have heard that there is no right to have your emails delivered. You have to deal with the recipient's rules, if you want to get the privilege that your emails are accepted.
2.It is a selfish and broken technique abusing other systems intended to prevent yourself get spoofed emails.
As soon as you use such nonsense, any spammer out there is able to cause your computer system to be part of a DDOS [distributed denial of service attack] against other computer systems.
If some idiot was to fake the “From” in a spam to be [email protected] [an email address on your server] and send about 30 million spam emails out like that, what do you think will happen?
Your server will have to deal with millions of SAV abusers where each of them is just trying to test ONE single emailaddress at your system.
Those defending SAV are mostly unwillig to see that the resulting problem is not that one connection they do to "SAV" an emailaddress, they can't imagine that spammers did just try to send the spam
to millions of others too and the other SAV abusers will try to verify the same emailaddress which you are just now trying to "verify" within a short timeframe, which can easy lead to a DDOS against
the poor victim of a forgery.
We don't think you will find it so cool when you get e.g. 200,000 connection attempts per minute from other abusive servers worldwide, which are "ONLY" probing your emailaddress to see if
it is deliverable or not ...
This is the logic behind our reasoning, and to us there is no difference between spammers making a dictionary attack against us or computer systems that are "only" probing our spamtraps
There is no logical reason why we should spend additional resources for distinguishing between the two, we know that it will be nothing we want to have.
3.Persons using it have no clue that the technique behind SAV is really broken by design and you are always at a high risk to reject mails you want and not just spam.
The maximum that your system can test with such an abusive SAV call is whether an emailaddress would accept email from you at the time of connection, after which the answer is out-dated.
It is NOT an indicator that an email address exists and it is also NOT an indicator the person really sent you anything - It could still be a fake from somewhere else ...
It is not even necessary to get blacklisted to reject emails you want with a stupid thing as SAV. It is enough that a system which you want mail from is refusing mail from you to break SAV.
Let's assume you want to buy a software from a website. It is possible that the email which conatins your keyfile is send from an emailaddress that doesn't accept mail itself.
SAV will of course reject such an email. The same can happen to you or your users with newsletters you or your users want ...
Last not least there are systems activley sabotaging your SAV calls by always claiming deliverable at RCPT TO and rejecting after DATA instead.
If you get in touch with such systems then you will accept a forged (mostly spammy) email because your stupid SAV got dared...
There are much more reasons why it is way stupid to use SAV but we believe that latest at this point you should have got enough clue to not/no longer use SAV
If not then you really deserve all consequences that might have and in fact you will mostly not even get aware of that unless you have no other hobbies that reading logfiles for many hours per
day or getting complaints...