Bounce verification has achilles heel
I found this post via Email spam/Topix:
IronPort Wants To Give Bounce Spam The Boot
In short, IronPort wants to outfit their mailserver appliances with technology to sign outgoing mail, so that when a bounce is sent to it, they’ll know if it originated from their server.
The problem with that, is when an IronPort appliance is used for an environment where some customers are on other ISP’s. It’s customary for an “outside” customer to use the outgoing mail server belonging to his ISP, even though incoming mail is going through a business mail server where his business domain is residing.
In order for IronPort’s technology to work, all outgoing mail needs to go through that server, no matter where the sender is. Otherwise, guess what? No bounces, if you sent through an outside mailserver!
The solution is trivial, but enforcing it may not be:
Use an authenticating outgoing mail server, often used on other ports than SMTP. Just a question: How does that affect e-mail clients on cell phones?
August 12th, 2006 at 9:52 am
There are other flaws in this system, such as not working with anything that checks the MAIL FROM value against a list. Examples include whitelists, mailing lists (ezmlm for example), and sender verification.
August 19th, 2006 at 7:57 am
There are other good reasons why it’s a Good Thing to enforce the submission MTA. For example, SPF/SIDF — domain owners should make their SPF record as narrow as possible. Also a good idea to ensure users are submitting over a TLS-encrypted channel.