The recent column by brother Backspin about the mechanics of source verification for dealing with spam generated a lot of feedback that called for us in the Gearhead secret lab bunker to tackle. First, reader Jason Short wrote to point out, "You state that the average spam message is 30K bytes in size! As someone who is actively writing a spam filtration system and has collected over 2.2 million spam messages for training and testing our system, that number is way high. The average in our database of 2.2 million messages is 3.1K bytes. The average legitimate e-mail is 25.3K bytes."

Hmm. Good points. Let's see, going to the spreadsheet that Backspin offered in "Running the numbers on source verification," and reworking it for the different message type sizes but keeping everything else the same, the bandwidth overhead of using source verification increases from 9% to 30% (download the revised spreadsheet). A significant cost increase, but as it is only 0.04% of the cost of staff productivity, the cost is still trivial.

Short also points out that a significant number of spammers fake the "from:" address, which could result in source verification challenges going to real but incorrect addresses. OK, but a decent source verification implementation would check the routing in the header of the received message to eliminate forged source addresses.

Short's final point is a scenario: "If it is Friday and I [send] you an e-mail and go on a two-week cruise. Your mail [sends] a reply to me to validate. I [don't validate]. Now the mail has expired, and it was time-sensitive. That is not a good solution."

We disagree. If you are sending mail to someone for the first time and it is time-sensitive you'd be wise to check that it arrived. And if it is not the first time, the recipient using source verification should have added you to the whitelist.

That said, anyone who, given the reality of routers breaking down, traffic congestion, lost packets, failed DNS lookups and servers failing or slowing down because the wind in Pasadena is blowing from the west, trusts SMTP-based mail for time-sensitive delivery needs his head examined.