[sf-lug] Challenge-response systems considered harmful (was: Don't do that! ("If you would like to be added to my list ofa pproved senders" ...)

[Rick Moen]

Elaborating on the main thing I wrote:

>   People who deploy C-R software will get widely blacklisted.  Gradually
>   or sometimes less so.  Period.

The main reason why:  Any C-R software setup unavoidably functions as a
huge generator of much-hated 'backscatter spam' 
( https://en.wikipedia.org/wiki/Backscatter_(email) ,
http://linuxmafia.com/~rick/qmail-backscatter-spf.html ).

Backscatter is any form of automatic response (such as a 'bounce
message', or a C-R challege) delivered inappropriately to a innocent 
party whose e-mail address was forged as the claimed-sender of junkmail.
That action gets dinged severely against the public reputation of
wherever the backscatter spam originates.  Because it's _spam_, and
the way antispam work is:  Sources of spam get sanctioned.

And there's no way to prevent C-R setups from issuing backscatter.

If it's news to you that legitimate users' mailing addresses get used in
forged mail, welcome to the post 1990s Internet.  Starting in the 1990s,
basically _any_ source of backscatter is deemed an unacceptable spamhaus 
and gets quickly added to blacklists for bad behaviour.

This is not a negotiable point.  You cannot successfully argue your good 
intentions, or how you 'don't know what else to do'.  If you do this,
you will get blacklisted.  (This isn't just me saying this.  I'm
accurately describing what pretty much the entire consensus of mail 
administration has been about this for about 20 years.)

In addition to Karsten's gently worded explanation , the SpamCop DNSBL
people (now part of Cisco Systems) posted one of the other FAQs around
the same time (circa 2003), which anyone wanting more technical
explanation can consult:
https://www.spamcop.net/fom-serve/cache/329.html