SourceForge.net

Tracker: Support Requests

5 Sender verification leads to blacklisting - ID: 1774355

Last Update: Comment added ( burley )

Details:

Dear sourceforge mailing list experts,

It seems that sourceforge mailing lists are configured to verify that
messages sent to the lists come from a valid email address by doing
"callout verification", i.e. they start an SMTP connection and issue a RCPT
TO command, and see if they get an error.

I don't have a strong opinion about whether this is inherently a good thing
or not, but other people do, and servers that do it will get onto spam
blacklists. In particular, it seems that sourceforge has got listed at
backscatterer.org, which is causing me pain. I have started filtering
using backscaterrer recently because of the enormous amounts of
otherwise-hard-to-filter backscatter spam that I now get.

You might want to re-evaluate whether doing this verification is, on
balance, the best choice. On one hand, doing it means that you'll get on
spam blacklists and some subscribers will be unable to post or receive
messages. Some of those subscribers will be able to adjust their filter
policies to cope, but others will be powerless to change a corporate
policy. On the other hand, you presumably feel that this verification will
reduce spam volumes on the lists.

Furthermore, remember that you have done a more explicit form of address
verification when a user subscribes to a list. Having done that
verification, is the callout verification at posting really necessary?

It would certainly make my life easier if you disabled it. If you can't
disable it, I think I'll need a white-list of IP addresses that you mail
from.

Regards, Phil Endecott.

Submitted:

Phil Endecott ( endecotp ) - 2007-08-14 22:14

Priority:

Status:

Closed

Resolution:

None

Assigned:

David Burley

Category:

Project Mailing Lists/Archives/Services

Group:

None

Visibility:

Public

Comments ( 5 )

Date: 2007-08-22 14:06 Sender: burley Greetings, Not all MLs require subscription to post, that is configured by the project administrators, so it cannot be guaranteed. Thank you, David Burley Quality of Service Analyst, SourceForge.net
Date: 2007-08-21 21:06 Sender: endecotp > As for already having verified the sender, we > actually haven't. The mail system is mostly independent of the website, a > user account isn't required to post or subscribe to a mailing list and > there isn't much if any glue tieing them together. So, that isn't a valid > method since we don't want to require a user account for their use. I'm not referring to the verification that you do when someone gets a sourceforge account. Anyone who subscribes to a mailing list by completing a form like https://lists.sourceforge.net/lists/listinfo/mod-auth-users will be verified by receiving a challenge email at that time. This is the verification that I'm referring to, and as far as I'm aware it applies to all subscribers. Regards, Phil.
Date: 2007-08-21 20:11 Sender: burley Greetings, This is one method we have and will be continuing to use to block spam for the time being. Is it controversial, depends on who you ask, but that's true of just about anything. As for already having verified the sender, we actually haven't. The mail system is mostly independent of the website, a user account isn't required to post or subscribe to a mailing list and there isn't much if any glue tieing them together. So, that isn't a valid method since we don't want to require a user account for their use. Thank you, David Burley Quality of Service Analyst, SourceForge.net
Date: 2007-08-20 15:19 Sender: endecotp Hi David, Thanks for the reply. Just a couple of quick points: > we verify that the sender is valid, and their mail server properly configured, before > forwarding the mails Well, you _try_ to verify that the sender is valid. Do you know in how many times this fails because the sender's mail server is configured to reject these verification attempts? You may be assuming that these are spambots when they are in fact legitimate users (like me). You haven't addressed my comment that you have already verified that the address works in a non-controversial way during the subscription process. FYI, I have not seen this sort of address verification from any other mailing list servers in the open-source world, and I'm subscribed to many of them (and they don't seem to suffer much spam). Regards, Phil.
Date: 2007-08-20 15:08 Sender: burley Greetings, This is a required step in combatting spam. Lots of spammers do things incorrectly, so we verify that the sender is valid, and their mail server properly configured, before forwarding the mails. We cache responses to not overwhelm the other mail servers and do so in a responsible manner. However, folks across the Internet haven't found a good way to handle mail, and until there is a solution for it, that works, these sorts of issues will continue to arise. If you want to whitelist our range, I recommend you whitelist 66.35.250.1/24. Do note that our mail servers may change IPs in the future, so this is not a permanent solution. Thank you, David Burley Quality of Service Analyst, SourceForge.net

Attached File

Changes ( 11 )

Field	Old Value	Date	By
close_date	-	2007-08-22 14:06	burley
status_id	Open	2007-08-22 14:06	burley
status_id	Closed	2007-08-21 21:06	endecotp
close_date	2007-08-21 20:11	2007-08-21 21:06	endecotp
status_id	Open	2007-08-21 20:11	burley
close_date	-	2007-08-21 20:11	burley
close_date	2007-08-20 15:08	2007-08-20 15:19	endecotp
status_id	Closed	2007-08-20 15:19	endecotp
assigned_to	nobody	2007-08-20 15:08	burley
close_date	-	2007-08-20 15:08	burley
status_id	Open	2007-08-20 15:08	burley

SourceForge.net

Tracker: Support Requests

Comments ( 5 )

Attached File

No Files Currently Attached

Changes ( 11 )

About SourceForge

Find Software

Develop Software

Community

Help