Callback verification


Callback verification

Callback verification, also known as callout verification, is a technique used by SMTP software in order to validate e-mail addresses. The most common target of verification is the sender address from the message envelope (the address specified during the SMTP dialogue as "MAIL FROM"). It is mostly used as an anti-spam measure.

Purpose

Since a large percentage of e-mail spam has forged sender ("from") addresses, some spam can be detected by checking that the sender address is valid using this method.

Another context where callbacks can be used is the communication between different mail servers - for example, a secondary mail exchanger can verify recipients at the primary mail exchanger for the domain in order to decide whether the address is deliverable.

Process

A mail server can try to verify the an address by making an SMTP connection back to the mail exchanger for it (found via the usual MX records), pretending to be creating a bounce, but stopping just before any e-mail is sent. The commands sent out are:

HELO MAIL FROM:<> RCPT TO: QUIT

Equivalently, the MAIL FROM and RCPT TO commands can be replaced by the VRFY command, however the VRFY command is not required to be supported and is usually disabled in modern MTAs.

Both of these techniques are technically compliant with the relevant SMTP RFCs (RFC 2821).

Drawbacks

SMTP callbacks can have several drawbacks:
* Some regular mail exchangers do not give useful results to callbacks:
** Servers that reject all bounce mails (contrary to the RFCs). This problem can be alleviated by using the local postmaster address in the MAIL FROM part of the callout. This, however, will fail if Bounce Address Tag Validation is used to reduce backscatter.
** Servers that accept at RCPT stage but reject at DATA stage.
** Servers that accept all mails during the SMTP dialogue (and generate their own bounces later). This problem can be alleviated by testing a random non-existent address as well as the desired address (if the test succeeds, further verification is useless).
* The callback process can cause delays in delivery because the mail server where an address is verified may use slow anti-spam techniques, including "greet delays" (causing a connection delay) and greylisting (causing a verification deferral).
* Some e-mail may be legitimate but not have a valid "envelope from" address due to user error or just misconfiguration. The positive aspect is that the verification process will usually cause an outright rejection, so if the sender was not a spammer but a real user, they will be notified of the problem.
* If a server receives a lot of spam, it will do a lot of callbacks and if those addresses are invalid, the server will look very similar to a spammer who is doing a dictionary attack to harvest addresses. This in turn might get the server blacklisted elsewhere.
* If a spammer abuses the same sender address and uses it at a sufficiently diverse set of receiving MXs, all of which use this method, they might all try the callback, overloading the MX for the forged address with requests (effectively a distributed Denial of Service attack).

Several of the above problems are alleviated by caching of verification results, which reduces the amount of duplicate callbacks.

There are also two essential problems with callbacks:
* spending other people's resources to implement an anti-spam measure, which some may consider to be abusive
* as spammers move to real addresses instead of forged ones, the measure becomes ineffective

Hosts which employ callback verification can get added to DNSBLs that track such matters [ [http://www.backscatterer.org Backscatterer.org Blocklist] ] .

Common mistakes in implementations

* Some implementations treat a 4xx SMTP error code as a 5xx SMTP error code - this is clearly wrong and they should only fail on a 5xx error.
* Some implementations cache per host eg. they get a sender verify call out failure for address@domain.test and then list the entire *@domain.test as bad!

References

* [http://www.exim.org/exim-html-4.50/doc/html/spec_39.html#SECT39.31 Exim Callout verification]
* [http://www.postfix.org/ADDRESS_VERIFICATION_README.html Postfix Address Verification Howto]


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Callback — can mean: * Callback (computer science), executable code that is passed as a parameter to other code * Callback (telecommunications), the telecommunications event that occurs when the originator of a call is immediately called back in a second… …   Wikipedia

  • Device driver synthesis and verification — The device driver is a program which allows the software or higher level computer programs to interact with a hardware device. These software components act as a link between the devices and the operating systems, communicating with each of these …   Wikipedia

  • Anti-spam techniques — To prevent e mail spam (aka unsolicited bulk email), both end users and administrators of e mail systems use various anti spam techniques. Some of these techniques have been embedded in products, services and software to ease the burden on users… …   Wikipedia

  • Anti-spam techniques (e-mail) — To prevent e mail spam, both end users and administrators of e mail systems use various anti spam techniques. Some of these techniques have been embedded in products, services and software to ease the burden on users and administrators. No one… …   Wikipedia

  • CBV — is a three letter acronym which may stand for: *Carrie Borzillo Vrenna, author of Cherry Bomb * Cannabivarin * CBV, a radio station in Quebec City, Quebec affiliated with Première Chaîne. * Callback verification for e mail * Chartered Business… …   Wikipedia

  • Sender Rewriting Scheme — (SRS) is a technique to re mailan email message so that eventual Delivery Status Notificationscan reach the original message sender. In this context, re mailing is an alternative to Email forwarding, which is not allowed bythe Sender Policy… …   Wikipedia

  • Bounce Address Tag Validation — In computing, Bounce Address Tag Validation (BATV) is the name of a method, defined in an Internet Draft, for determining whether the bounce address specified in an E mail messageis valid. It is designed to reject backscatter, that is, bounce… …   Wikipedia

  • Challenge-response spam filtering — A Challenge response (or C/R) system is a type of spam filter that automatically sends a reply with a challenge to the (alleged) sender of an incoming e mail. In this reply, the sender is asked to perform some action to assure delivery of the… …   Wikipedia

  • Challenge–response spam filtering — This article is about e mail. For other uses, see Challenge response authentication. A challenge–response (or C/R) system is a type of spam filter that automatically sends a reply with a challenge to the (alleged) sender of an incoming e mail. In …   Wikipedia

  • United World Telecom — is a leading switch based telecommunications service provider, located in Florida, USA, serving retail, wholesale, and corporate customers worldwide. Established in 1996, United World Telecom has rapidly expanded its global presence in the last… …   Wikipedia