I just love challenge-response mail confirmation systems. “Hi, I get a lot of spam and someone sent me an e-mail pretending to be you. Would you mind filtering my spam for me? It only takes a minute, and if someone’s forging your address on spam, I’ll totally let it through if you simply respond to this message!”
My mail server publishes perfectly valid SPF records. I’ll give you a hint: if someone sends a message purporting to be from me but it fails the SPF checks, not only is the message not from me, but I don’t want to hear about it.
Perhaps I’d feel better if all challenge-response mail confirmation system users published their home phone numbers. It’s just a little bit of work to connect Asterisk, Festival, and procmail to dial their numbers and read my questionable mail to them. Clearly they have plenty of free time, if they’re getting so much spam that there’s no possible way they can filter it all without pushing the burden back to everyone else on the Internet.
It seems like a fair trade to me. If I do your mail filtering for you, I should get something of equal value in return - unless they believe that their time is far more valuable than mine. (Nah, can’t be. Otherwise they would have whitelisted me when they first sent me messages.)
psst - you blew an </em>
This rant, while dead-on and entertaining, seems a bit incomplete? Is there supposed to be more after "I just love" ?
Anyway, spammers use SPF records. But the main point is right on.
I have the policy of always approving challenges for messages I didn't send and generally not bothering for messages I did. (Or approving the challenge and following with a "Ahem! Don't do that!" followup)