Page 1 of 1

Challenge-Response System: Soft bounce messages disabled

Posted: 20 Jun 2013, 19:35
by Admin
I just disabled the automatic notification of challenge response system messages.
It means that if a message is in the queue, normally after 7 days the sender gets a message that the email has not been accepted.
Or if someone clicks on accept, the sender gets an email that the email has been accepted.

I had to disable this automatic emails because many of the incoming emails were sent from spammers with forged email address (faked FROM header), so some times people got wrongy automatic emails or even honey pots which ends that TrashMail was blacklisted on RBL's.

Re: Challenge-Response System: Soft bounce messages disabled

Posted: 20 Jun 2013, 21:21
by Saxtus
Totally understandable, but I guess there is nothing that can be done to the first email that is sent to the faked FROM sender, asking him to verify, so there is still the danger.
Is there a way to not send the email at all if you can't validate that the FROM address is legit?

Re: Challenge-Response System: Soft bounce messages disabled

Posted: 21 Jun 2013, 07:51
by Z
Well, if people would simply use SPF & DKIM it would help a lot to preventing from fakes. But because they're not, there's much that can be done.

Re: Challenge-Response System: Soft bounce messages disabled

Posted: 21 Jun 2013, 08:08
by Admin
Saxtus wrote:Totally understandable, but I guess there is nothing that can be done to the first email that is sent to the faked FROM sender, asking him to verify, so there is still the danger.
Is there a way to not send the email at all if you can't validate that the FROM address is legit?
Yes, there is still a danger. I'm currently rewriting the backend that this soft bounce will be replaced by a direct SMTP error:
So this people will get an 550 error message, where inside the message will be written the link to the page where they need to confirm the CAPTCHA code instead of soft bouncing it.
Additionally TrashMail will become then transaction safe, as you will got only SMTP code 250 if mail has really been processed and forwarded.

Re: Challenge-Response System: Soft bounce messages disabled

Posted: 21 Jun 2013, 08:08
by Admin
Z wrote:Well, if people would simply use SPF & DKIM it would help a lot to preventing from fakes. But because they're not, there's much that can be done.
Yeah, but inside the mail (the mail message, not the envelope) the FROM header could be still forged.

Re: Challenge-Response System: Soft bounce messages disabled

Posted: 21 Jun 2013, 08:33
by Z
Admin wrote:Yeah, but inside the mail (the mail message, not the envelope) the FROM header could be still forged.
Yes, but from headers you can see real information. And because if message is fake, it won't get delivered anyway. So only legimate sources could still send fake messages and 99% of "random botnet sources" are immediately dropped, which are the most common source of spam.