SourceForge.net

Logged In: YES
user_id=1019020

Greetings,

Issues with Gmail's servers failing to verify sender
address has been resolved, both by whitelisting on our side and
by resolution of the temporary failure on Google's side.

Sender verify callout is a popular and effective anti-spam
feature, included in many SMTP servers. It depends only upon
standard RFC behavior; if the behavior can be used to harvest
email addresses, that's a consequence of the standard,
RFC-defined response to the "RCPT TO" command.

The solution to this problem had nothing to do with Google
degrading its servers' security; Google has in the past
and continues today to answer RCPT TO commands in precisely the
way defined by the RFC and depended upon for sender verify
callouts. The initial problem was caused by a temporary
failure by Google to reply to these callouts appropriately;
what caused their failure is unknown.

Regardless, this issue is now resolved.

SourceForge.net Support

Logged In: YES
user_id=80610

Ok. This is going to be my final comment on this thread
until I hear back from the SF.net staff.

The problem is that SF.net's anti-spam measures are
braindead, amateurish, and downright harmful. In particular
the one that is causing problems here should be disabled
right away. I am sufficiently unhappy about this that I may
actually propose to the other core members that we move off
sourceforge.

Here is the problem:
Sourceforge requires that domains sending email to
sourceforge.net addresses (including lists) allow for
callbacks. These callbacks are harmful for a number of
reasons. First the same mechanism can be trivially used for
address harvesting by spambots. The mechanism is amateurish
because people can use systems like mail2web effectively to
post to the mailing lists under any email address, valid or not.

So here we have a scenario where SF.Net's antispam measures
are ineffective and their ownly suggestion is to ask other
people to degrade the security of their systems. I am sorry
to say this but I am profoundly disappointed with your
service and your response to this problem.

I have accidently spoofed email addresses onto SF.net lists
in the past and I can verify that the same methods continue
to work. So this method is only causing pain for legitimate
users and not actually stopping spam.

Logged In: YES
user_id=80610

Also, despite what others have posted here, my review of the
problem puts the blame *purely* on the shoulders of SF.Net.
Google/Gmail does not appear to be blocking any messages
from Sourceforge, but Sourceforge is blocking all or most
messages from Gmail. The problem is clearly with amateurish
spam control measures that prevent legitimate users such as
me from using the system for my open source projects. This
has been going on for over a week.

THE LEAST YOU FOLKS COULD DO IS HELP ME GET MY EMAIL SERVERS
WORKING WITH YOUR SYSTEM.

I am sorry for yelling but this is becoming amazingly
frustrating.

Logged In: YES
user_id=80610

Despite rumors that this has been solved, I have only been
able to send one email to our lists over the last week (and
that was a couple of days ago).

Note that I don't see how this is a callback issue because
if it was one, I should be having trouble getting list
emails, but instead I am having trouble sending them.

In short, I think it is SF.Net doing the callbacks, and not
the other way around.

Logged In: NO

From: tom@mindcontract.com
1) Call backs are something that I have started seeing recently

2) Its a myth that the calling back server sends an email to
the original spammer.
What it does is an RCPT TO: with the recipient and a MAIL
FROM: with the sender on the original server. If the
original server does not correctly respond OK, it fails.

3) This can be fixed at sourceforge - its likely that their
relaying setting is stopping this validation from occuring.
To see the error simply go to an outside server and do the
requests on port 25 that the call back server is doing.
See what the error is and resolve it. Anyone competent
with the mail configuration system at sourceforge should be
able to resolve this in less than 10 minutes.

Logged In: NO

If GMail is doing "call-backs" to prevent forged senders, it
is their fault. That is not the right way to authenticate
senders on the internet. They should be using SPF to
authenticate the sending server, first. Only if that is
unsuccessful would you want to attempt a "call-back" and
even then, a "call-back" is not generally considered an
acceptable sender authentication mechanism. It is a hack on
SMTP that somebody thought up, but, as illustrated by this
issue, is not compatible with other anti-spam measures used
by some email admins. Sourceforge is using SPF, as shown in
their TXT DNS record below, so GMail should NEVER do a
"call-back" for any sender from that domain.

IT IS GMAIL'S FAULT.

SPF DNS record for "sourceforge.net":
v=spf1 mx a:mail.marblehorse.org a:sshgate.sourceforge.net
a:mx-outbound.sourceforge.net
a:lists-outbound.sourceforge.net
a:sc8-sshgate.sourceforge.net a:smtp.vasoftware.com
a:newcastle.devrandom.net -all

Logged In: YES
user_id=252169

As of about 2-3 hours ago, normal service resumed between my
gmail and SF mailing lists (for project pcgen). Maybe it's
been 'fixed'?

I also noticed that this got on Slashdot, boy you guys are
about to get a ton of 'well meaning' advice and comments,
good luck! ;p

Logged In: YES
user_id=116365

I would say this is Gmail's problem.

Gmail is initiating what are called call-backs. For every
incoming e-mail, they attempt to send a fake e-mail back to
the sender to verify that the sending address actually exists.

The theory is that since spammers forge many names, it will
reject spams that have made up names forged into them.

The end result, however, is that it pushes your spam problem
back on to the domain forged into the spam. It causes an
extra load on that server as it has to accept all these
bogus connections. For another it will just encourage
spammers to forge other people's actual addresses as the
sender of their garbage.

It is encouraging to see that Sourceforge does not support
that. I would give the solution as to either complain to
Gmail that callbacks break they stated goal of "Do no evil".

Barring that, don't use gmail.

Logged In: YES
user_id=821871

The following issues in your bug tracker ALL concern this
problem:

http://sourceforge.net/tracker/index.php?func=detail&aid=1569441&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1569366&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1569326&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1569138&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1569055&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1568827&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1568600&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1568577&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1568565&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1568458&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1568306&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1568223&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1568118&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1568009&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1567854&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1567803&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1567745&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1567366&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1567120&group_id=1&atid=200001
http://sourceforge.net/tracker/index.php?func=detail&aid=1566582&group_id=1&atid=200001

Logged In: YES
user_id=80610

As the admin or a number of open source projects, it is
important for me to get access to the email lists as quickly
as possible. Can you provide me either an ETA for resolving
this issue or a link to a document which would specify
required DNS settings for servers sending to the list (so I
can get my business's servers talking to the lists again)?

Logged In: YES
user_id=1546419

Greetings,

This is something recent that has changed in how Google handles
email (other sites have started to get the same errors). We
are investigating how to deal with this.

SourceForge.net Support

Logged In: YES
user_id=80610

Text of the error:

Technical details of temporary failure:
TEMP_FAILURE: SMTP Error (state 9): 451-Could not complete
sender verify callout
451-Could not complete sender verify callout for
<chris.travers@gmail.com>.
451-The mail server(s) for the domain may be temporarily
unreachable, or
451-they may be permanently unreachable from this server. In
the latter case,
451-you need to change the address or create an MX record
for its domain
451-if it is supposed to be generally accessible from the
Internet.
451 Talk to your mail administrator for details.