Challenge response system in exim

[floyd]

I absolutely hate most challenge response systems since most will send back a challenge to faked email addresses. But I was thinking something like that could be implemented in exim so that it was checked at SMTP time and so therefore would not send a challenge to faked email addresses but back to the sending server.

Maybe each user could maintain their own set of whitelisted domains or email addresses. They could export everybody in their contact list to that whitelist and then have all other senders get a returned email that sent them to a form to fill out where they could be whitelisted.

The user could also set up an email account where the senders would not get checked against the whitelist but be automatically accepted which would be used with automated responses like with online purchases or other automatic notifications. Then at least any spam would only come in on that one address.

I also hate it when somebody sends me an email and then I respond to it and then I have to authenticate myself. It seems to me that if somebody wants an answer to their email they should whitelist me before sending me the initial email. Maybe there is a way to automatically whitelist addresses that email is sent to.

Its just a thought. I am sure it can be improved upon and it might also be total garbage too.

 

[nobaloney]

Write the spec, Floyd.

Then I can either praise it or pick it apart .

Challenge response at SMTP time would look something like this, right:

Your server says helo to my server. It tells me it wants to send an email to [email protected] on my server, from [email protected] on your server.

So my smtp-time challenge-response system sends you an email and tells you to write back if you really exist.

And holds the smtp connection open for how long? an hour? a day? a week? a month?

Just how many thousands of smtp connections do you want to keep open?

I think you get my drift.

Jeff

 

[pucky]

Challenge response systems will get you blacklisted and blocked at Spamcop and all those other RBLS faster than you can image. It not recommended and you implament it.

 

[nobaloney]

What floyd was getting at was if we did the challenge-response in real time we could avoid sending back messagees, and not get blocked. He just didn't consider that we'd have to hold our smtp connections open for a week or two .

Jeff

 

[floyd]

Challenge response systems will get you blacklisted

I know ordinary CR systems will do that. I am talking about sending the challenge back to the server that sent it just like we do now with our blacklisted domains. Blacklisted domains or RBL ip addresses are sent back a message explaining why the email was not delivered. We don't get blacklisted when we do that.

 

[floyd]

I am basically saying that in order for email to get through it has to be on the whitelist_domains or whitelist_senders list. Everything else would get returned. I am not talking about holding the SMTP connection open.

Somebody sends me an email. Exim sees that they are not on the whitelist. Exim bounces the email back to the originating server so the original sender, if they exist, gets the bounced email with further instructions like to go to the web site to get whitelisted. Then they would have to send the email again, a separate SMTP connection. This would be done on a per user basis. A user could choose to use it or not.

Right now exim searches /etc/virtual/whitelist_senders file. Is there anyway to get it to search whitelist files that are in the user's home directory?

It would be great if exim sent back a bounce message and also saved the email somewhere for a period of time until the original sender whitelists themselves or time expires.

 

[nobaloney]

I understand what you mean now. I also know why it's not going to work.

forwards, form-to-mail scripts, broken servers that don't pass on the messages, people who look at the messages and presume they mean the address doesn't exist

But you're welcome to try it.

Jeff