Why Sender Address Verification Sucks

I’m almost radically anti-spam. Not only is it annoying, but most spam is now sent by (tech) gangs that have either hacked computers or written viruses. Probably 99% of spam is sent by illegal, fraudulent means. There are lots and lots of ways to prevent spam. But this is about one way of prevnting spam that seems to work deceptively well, but that’s actually a horribly, horribly flawed system. It’s called Sender Address Verification.

The basic premise is simple: you e-mail me. I’ve never received e-mail from you, so a script will automatically e-mail you and ask you to click a link or reply with a unique string to “confirm” that your e-mail address works. Once you do that, you’re whitelisted forever. Viola, kills spam dead! There are many providers offering this service, too. Because I so abhor them, I won’t link to them.

So why is this such an awful system? Let me count the ways!

  1. It doesn’t prevent spam, it prevents automated mail. There’s a difference. My company sends out tens of thousands of e-mails a day, but they’re all to people who have requested notification of things. Some sites make me jump through hoops to opt-in, but I like getting e-mails when, for example, someone replies to a forum posting of mine. And if you’re thinking this isn’t so bad (perhaps more annoying than spam is pseudo-spam, the mail from legitimate organizations that you really don’t want to receive mail from), read on.
  2. Ever had to reset your password on a website? Ever ordered online and requested shipping confirmation? Those are all e-mails sent by a computer. SAV does a good job of keeping them out of your inbox. (SAV advocates would argue that you could manually whitelist them. Yes, if you knew what address they would e-mail you from. But I’d contend that most people don’t bother, or don’t know that they have to do this.)
  3. It’s obnoxiously annoying to legitimate users. If I e-mail you, I don’t want to have to go to a website and fill out a form to do so. This is me being a cranky old curmudgeon, really, but there’s something to be said for not inconveniencingyour friends when they want to e-mail you.
  4. More than anything, it makes the spam problem worse. The majority of spam comes from spoofed but legitimate accounts. (SPF is meant to make it harder to spoof mail from a legitimate domain.) The practice of spammers using forged addresses has led to an important principle in e-mail: if you’re going to refuse mail, you need to do it during the SMTP transaction. You cannot “accept” mail and then have your mailserver generate a bounce and send it back. This might not seem to matter to most people,  but it’s actually a very important principle. If I send you mail from a forged address and you refuse it during the SMTP transaction, the “real” sender will get the bounce. If you accept the mail and then send a bounce, you’re trusting the From: header. In 99% of spam, it’s forged. So what does this mean?
  5. If you use Sender Address Verification, you are sending a verification request e-mail to every spammer’s forged address, which either ends up in an innocent non-spammer’s mailbox, or which will in turn bounce back to you if it doesn’t exist. (But you won’t get the bounce, because they’re not on your accepted list… Fortunately mailservers are good at preventing infinite loops.)

The problem with all of this is that this horribly, horribly flawed system will appear to work really well for the end user. They have no idea that they’re missing out on legitimate mail, nor that they’re making the massive amounts of fallout from forged e-mail even worse.

So instead, I turn to my soapbox. If you or a loved one uses Sender Address Verification, call now. Err, stop using it. And more importantly, I urge you to join me in refusing to ever complete a Sender Address Verification procedure.

2 thoughts on “Why Sender Address Verification Sucks

  1. I completely agree with you. I think this sort of thing is useful for people who don’t so much by email. I understand that some people go hours or even days without checking email BTW. The people I have seen use SAV seem to often fit in that group.

  2. Pingback: Matt’s Blog » Blog Archive » The trouble with SPF

Leave a Reply

Your email address will not be published. Required fields are marked *