Marco d'Itri wrote:
For a start that sites performing sender verification will partecipate in a DDoS on the mail infrastructure of domains forged by spammers.
As we have started to collect stats, out of 1K connections, there are from 30 to 50 connections that look like sender verify. This is quite low right now but it could be harmful on big domains if more people use it.
There are two things I really dislike in sender verification. First, you are using someone else ressources to fight spam. Second, spammers may adapt in an annoying way (either they will use domains who always answer a 2xx to rcpt to, or they will use verified emails).
Also, sender verification when seen from the side of the victims is indistinguishable from a dictionary attack, and may cause deliverability issues to the hosts attempting it.
I confirm it : we already have blacklisted IPs as they were issuing too many rcpt-to on not existing emails. These were dued to sender verifications...
François