In particle physics there's some really cool stuff called antimatter, which is exactly the same as everyday matter except it's not; it is oppositely charged. There's also another type of matter that is less well known: mirror matter, otherwise called Alice matter or shadow mirror.
Mirror matter is just like everyday matter (and for that matter, antimatter), except it is as if it has been reflected in a mirror and consequently has some weird properties.
Here in the IT world, we have spam technologies and we have their opposite: antispam technologies. Then we have what Verizon is apparently doing, using mirror antispam technology -- what I shall henceforth call Alice-spam technology.
Alice-spam technology relies on doing something that looks like antispam technology but actually achieves something weirdly different. I was told the story of Verizon's weird science by reader Stephen Canale of e-mail integrity assurance company OnlyMyEmail.
Here are the details: Verizon has a big spam problem, and its solution has been to use a technique called Sender Call-back (or Call-out) Verification (SCV).
SCV works like this: When you send e-mail to someone at a Verizon address your SMTP server will connect to the Verizon server to transfer your message. The Verizon server will keep the incoming SMTP connection open while it simultaneously opens another connection to your SMTP server to see if it will accept a message addressed to you.
If your SMTP server confirms within 30 seconds that it will accept the message -- in other words, that you exist -- then Verizon's server will accept your e-mail. If your SMTP server doesn't confirm that you exist or fails to respond in time your e-mail will be rejected, thus guarding against spoofing.
Sounds reasonable but . . . well, there's a lot of "buts."
First, the fact a server confirms an address doesn't mean that was who sent the message. Second, if the server being used for verification is overloaded then the 30-second window could be easily exceeded, which would cause the message to be rejected. Third, many servers handle multiple domains and are configured to verify any address, which defeats the whole purpose.
Another big concern is that SCV also allows the Verizon servers to become "joe job" servers - a way of executing a spam denial-of-service attack using a co-opted third party server - in this case, Verizon's.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (7)
This Week in Backspin: Verizon's Weird Anti-Spam ScienceBy Mark Gibbs on March 19, 2007, 5:00 pmIn Backspin this week I discuss how Verizon have been using what I call Alice-spam technology in an attempt to deal with their spam management problems. It isn't...
Reply | Read entire comment
Another problem with Verizon's setupBy Dan Riordan on March 20, 2007, 11:36 amMark, I see another problem with Verizon's setup. Here at On-Tech, we don't have an internal email server; we pay an outside company to host POP/IMAP accounts...
Reply | Read entire comment
How SCV worksBy Mark Gibbs on March 20, 2007, 12:08 pmIf you are in the domain on-tech.com but relay your messages via someservice.com when the message is sent by someservice.com the From: header must read dan@on-tech.com...
Reply | Read entire comment
SCV is totally ineffective -- Bounce SpamBy Chester Wisniewski on March 20, 2007, 10:17 pmI happen to run a domain that is a frequent victim of having my email addresses set as the forged address by the spammers. Spammers no longer seem to generate fake...
Reply | Read entire comment
Another case that would failBy Phil Daley on March 22, 2007, 11:50 amIt seems that another case that would fail is: You have a valid email address and ISP with SMTP server. The ISP does not allow connections from outside its...
Reply | Read entire comment
No more Verizon SCVBy Mark Gibbs on March 22, 2007, 11:52 amYou're right, there's all sorts of problems with SCV but I found out that Verizon discontinued its use the day just after I wrote my column! Weird timing, eh?
Reply | Read entire comment
View all comments