Talk:Callback verification

NPOV vs. financial interest

All of the major providers such as Verizon that used to do callbacks stopped several years ago having realized what a bad idea they are. There are one or two small filtering providers that still use them. I can't help but note that the main proponent of callbacks here owns such a provider and has a financial interest in arguing that they're a good idea, so it's hard to see how this article could have a NPOV so long as he can change it to support his interests.John L (talk) 20:21, 1 March 2009 (UTC)

I do not think a single editor can, ultimately, keep an article out of whack with wikipedia policies of things like WP:NPOV, and WP:UNDUEWEIGHT. When there are only two active editors, however, the process is quite slow. Wrs1864 (talk)`

There isn't a financial interest in promoting callback verification. I use it because it works. If it didn't work I wouldn't use it. For example, there is a lot of buzz around SPF which I don't use because it doesn't work. When Verizon implemented their callback verification they did it wrong. If they had done it right they would still be using it. It is a little tricky to get right. But there is no financial interest in using a technology that doesn't work. Marcperkel (talk) 15:26, 22 April 2009 (UTC)

It is effective only as long as not too much people do it, as people doing it put pressure:

- on spammers to use valid addresses;

- on admins to track and blacklist people doing verification. — Preceding unsigned comment added by WPcorrector (talk • contribs) 05:00, 14 September 2012 (UTC)

Implementation section

To avoid an edit war, I would like to invite third party experts to jump in and look at this article. There is a culture of people who are behind SPEWS, APEWS, UCEPROTECT, and backscatter.org who are openly hostile to callback verification. I personally use callback verification in my spam filtering business Junk Email Filter and it works very well. However, admittedly it needs to be done correctly as callback verification has some gotchas. That's why I added sections to instruct people on how to correctly implement this spam fighting method without the side effects that others are concerned about. Marcperkel (talk) 02:21, 13 February 2009 (UTC)

I removed this part from the article:

There are also two essential problems with callbacks:

• spending other people's resources to implement an anti-spam measure, which some may consider to be abusive
• as spammers move to real addresses instead of forged ones, the measure becomes ineffective

The opinions of some people [backscatter.org] that callback verification is abusive isn't relevant to the article. The second line is a legitimate point so I merged and expanded it in the section just above. Marcperkel (talk) 02:49, 13 February 2009 (UTC)

Um, the first thing you do is a large revert, then claim you are avoiding an "edit war". You then go on to imply that I'm involved with a bunch of groups that I have nothing to do with, while you admit that you have a conflict of interest on this subject. The whole "implementation issues" section comes very close to voilating the WP:NOTHOWTO policy. Baically all all the "implementating" section is a repeat of the "drawback" section, with a "CBV has problem <foo>" changed to "CBV has problem <foo> that requires everyone in the world to do <bar> to solve". I'll try go merge these sections together. Wrs1864 (talk) 13:14, 13 February 2009 (UTC)

Oh, I guess I should note that while trying to keep this article neutral, I was called a spammer because I removed pleas for everyone to stop using this method. I guess now being told that I'm biased against this method kind of balances things out. Wrs1864 (talk) 13:37, 13 February 2009 (UTC)

When I say that I use callback verification I'm not admitting to having a conflict of interest, but rather that I'm an expert on the subject. I filter email for 4000 domains and I have spent a great deal of time fine tuning callback verification. I have experience on both ends - using callback verification - and keeping my servers callback verification friendly. The people who use my service want callback verification support because supporting callback verification deters spammers from spoofing the domains that we service. OTOH - you are clearly associated with backscatter.org and you are vandalizing this article so as to discourage the use of callback verification. That is a political position and has no place in a Wikipedia article, other than perhaps you can make your case here in the talk section. Marcperkel (talk) 22:06, 13 February 2009 (UTC)

I really have no idea why you think I have anything to do with backscatter.org. I have never used it, I don't know who runs it, I think I've looked at the website once or twice due to references here. I left the reference in because I generally trust User:Joy's judgement. For the chargest of vandalism, please review WP:Vandalism, in particular, it says "Any good-faith effort to improve the encyclopedia, even if misguided or ill-considered, is not vandalism." As far as the WP:COI goes, the fact that you have a financial interest in promoting the use of CBV can be a problem. WP:COI does not rule out editing, but you need to be very careful. Wrs1864 (talk)

As a third-party email expert I have to agree with Wrs1864. SAV/CBV has been extensively debated among the anti-spam and sysadmin communities and the consensus is that it should not be used. AFAIK the only knowledgeable proponents of SAV/CBV are individuals who sell a service employing it.Ozzzo (talk) 21:28, 29 April 2009 (UTC)

Relevant policies

The purpose of a page here is to describe the subject. It should have a neutral point of view. That is, it should describe, in this case, the capabilities of the technique without offering any judgement on its merit. That's all. No directory of implementations, no list of who does or doesn't like it, no guides to implementation - all of those are non-encyclopaedic and are included in the list of things that Wikipedia is not. --AndrewHowse (talk) 23:03, 13 February 2009 (UTC)

While I have expressed concerns about the HOWTO nature above, I think you took the easy route and way over deleted text. To quote WP:NPOV, Lack of neutrality as an excuse to delete, and the same goes for HOWTO nature. In particular, the section that was titled "Known problem cases when implementing Callback Verification" gave a great deal of information about how the process works in practice. Most of the items listed there are from the Postfix and Exim documentation found in the references section. The postfix documentation uses the title "limitations", and that may be a more neutral and descriptive term for this section. Wrs1864 (talk) 18:10, 14 February 2009 (UTC)

I have gone ahead and restored the non-HOWTO stuff. Wrs1864 (talk) 20:06, 16 February 2009 (UTC)

You have a clear bias against callback verification technology. You only post negative issues without restoring anything positive about callback verification. This technology works and that it why it is so widely used. Your perspective is not neutral. Marcperkel (talk) 17:01, 17 February 2009 (UTC)

Well, I did try looking for reliable sources for both sides, but I could only find ones with negative reviews. As I mentioned above, several months back I was called a spammer for "supporting" this method by removing a rant about how everyone should stop using it. It was during my review of sources that I saw just how explict so many of them that CBV is not recommended. I've looked over the "limitations" section, and as I said above, most of it is from the postfix documentation. While it isn't glowing praise, I don't see the limitations section as being that negative, it just says what things you will run into and the techniques used to try to work around those limitations. Wikipedia is not supposed to make articles "balanced" by presenting as many positives and negatives, it is supposed to document stuff from reliable sources. Maybe you could convince the IETF to publish an update to RFC 2505, or convince the exim/postfix authors to update their documentation. Or, find other reliable sources that support CBV.

Are there specific points in the limitations section that you think could be rephrased to be more neutral? I've changed the title of the section a couple of times to try and be more neutral, and have reviewed the text. Wrs1864 (talk) 18:24, 17 February 2009 (UTC)

I think it would be helpful to use the so-called inline citation method. Many of the statements you added or re-added need a reference, and an explicit attribution would help greatly. --AndrewHowse (talk) 01:30, 18 February 2009 (UTC)

I reverted back to Andrew's version. Let the article just be about what it is. Your limitations section is highly inaccurate and very biased. It is a technology that needs to be done right but it has been correctly implemented in both Postfix and Exim which address your real concerns. I don't know what the correct solution is but I too put in some effort in discussing the details of how to implement it. I'm filtering about 4000 domains using this technology successfully as are thousands of other servers. I wouldn't mind seeing more information about how to implement it and a discussion of pitfalls. But not from the folks behind APEWS, backscatter.org, and uceprotect who are dead set against this technology. Marcperkel (talk) 01:59, 18 February 2009 (UTC)

Be aware that this is not "my" limitations section, it was developed by others. Being more specific about what is inaccurate would be helpful. Giving a reference to a reliable source that it technology is being used successfully by thousands of servers would be helpful. Wrs1864 (talk) 03:36, 18 February 2009 (UTC)

I have placed a bunch of inline references in, I'll try to track down more tomorrow. Note that RFC's use wikipedia's builtin inline referencing system that isn't as nice as the reference macros developed later on. Some of the earlier stuff is references, even if it isn't in the nicest form. Wrs1864 (talk) 03:36, 18 February 2009 (UTC)

I have again reverted back to AndrewHowse version. Limitations section is not neutral. Wrs1864 hates this technology and his view is extremely biased against it. Marcperkel (talk) 18:13, 20 February 2009 (UTC)

I have again restored the most current version. Please do not make claims about what I think. I do not "hate" this technology, nor do I "love" it. Simply claiming that the "limitations" section isn't neutral is not helpful, you need to explain what and why. Again, as I've mentioned above, Wikipedia:Neutral_point_of_view/FAQ#Lack of neutrality as an excuse to delete. Again, I have searched quite a few times now for reliable sources that recommends SMTP callbacks, or have positive things to say it, but I could not find any. If I had found some, I would have added them. Please help here by pointing out some. As per WP:NPOV, the limitation section does not pass judgment, it just states facts based on WP:Reliable sources. Many of these limitations were acknowledged by you in your "how to implement" section. AndrewHowse is correct that "how to" sections are not appropriate for wikipedia, which was why the parts you added were deleted by him. I'm am trying to reach consensus with all editors here, Andrew asked for more inline references, I added them. You want things to be more positive, I tried rephrasing things to be more neutral, but I'm limited by what the reliable sources say. This section was not something I originally added, it was developed by other editors. Wrs1864 (talk) 19:07, 20 February 2009 (UTC)

I have again reverted it back to AndrewHowse version for the reasons stated above.Marcperkel (talk) 19:49, 20 February 2009 (UTC)

Here is a Positive Article on callback verification.Marcperkel (talk) 20:08, 20 February 2009 (UTC)

If you want to find positive articles and how tos look up Sender Address Verification (SAV) on Google. Also I notice when I search sender address verification here it redirects to the wrong article. Marcperkel (talk) 20:25, 20 February 2009 (UTC)

"Sender address verification" appears to be sendio's name for Challenge-response spam filtering, which is different than what this article is about (and what postfix (software) terms as "sender address validation). I agree, the names are confusingly similiar. Thank you for searching, I appreciate it.

I am going to revert the article again for the following reasons. Wikipedia works on WP:consensus. I notice that you have asked for assistance on this article, which is good. The "drawbacks"/"limitations" section had been in the article for two years, so I believe it represents the current consensus. Please be aware of the Wikipedia:Three-revert rule. We both close to this limit. I think we should leave it at the consensus point and proceed with help from others. Wrs1864 (talk) 20:47, 20 February 2009 (UTC)

Third opinion

Clearly, there should be a limitations section. No technology is perfect and the article will not be complete without outlining its major limitations. The limitations section as written seems fine because it lists the limitations and even provides work arounds in some cases. However, a couple of quibbles:

1. The lead sentence says that postfix and exim documentation 'do not recommend' callback verification. However, the postfix article says that the technique is suitable only for low-volume sites and seems to apply only to its own implementation (not the same as do not recommend) and I can't find an explicit statement about this on the Exim site.
2. The graylisting limitation refers to an article that does not talk about response codes (4xx or 5xx).
3. Finally, it would be helpful if the limitations that are peculiar to an implementation (postfix, for example) are clearly separated from general limitations (delays, system burden, possibility of being blacklisted, etc.)

--Regent's Park (Rose Garden) 22:52, 20 February 2009 (UTC)

I run a spam filtering company and we process abut 10 million messages a day for over 4000 domains using Exim and I am experiencing none of these limitations. Marcperkel (talk) 08:21, 21 February 2009 (UTC)

What there needs to be is the implementation section that I wrote which addresses the some of the concerns in the limitation section but does so in a positive way. It explains how to correctly use this technology without the consequences of doing it wrong. The only one blacklisting servers that use this is backscatter.org and Wrs1864 is connected with that blacklist. Wikipedia is about presenting factual information abut a technology and the limitations section fails that test. This technology is extremely effective and when it is done right has none of the limitations listed. Marcperkel (talk) 08:12, 21 February 2009 (UTC)

Then perhaps you and wrs1864 should work together in separating the postfix implementation limitations from the general limitations. It seems to me that delays, system burden, and the possibility of being blacklisted are general limitations of callback verification but, it the others are postfix only limitations, that should be clearly marked. I think that the two of you can come together provided you agree that a section on limitations is not out of bounds (nothing is perfect!) and wrs1864 is willing to work on making the limitations more focused. Limitations are not bad things, they just need to be put in perspective. (Also, while personal experience is useful in article writing as well as a sanity check, it is no substitute for citations from reliable sources.) --Regent's Park (Rose Garden) 16:35, 21 February 2009 (UTC)

RegentsPark, let me address the points you raise. First, you are right, the "not recommended" phrasing is a poor merger of what the doc for the two MTAs describe. Exim says "use with care", postfix, as you say, talks about being "suitable", I'll try rephrasing. Second, the greylisting is poorly phrased, a "4xx code" is the same as a "temporary delivery failure", while a "5xx" is a "permanent failure". The documentation does talk about it in the "issues affecting the proposed implementation" section, just not in the same words. Finally, none of the limitations are really implementation specific. Some implementations try to address some (or all) of the various limitations using some of the techniques mentioned, but the article just talks about the general situation. Wrs1864 (talk) 20:37, 21 February 2009 (UTC)

Implementation Sections

The implementation sections address the concerns in the limitations section that are actually real. But it does it from the perspective of how to avoid the limitations. Limitations are only limitations if the implementation is wrong. Most of these implementation issues are already dealt with inside of Exim, Postfix, and Sendmail. But, speaking for Exim, there are a set of best practices considerations for doing it right.

It seems to me to be more useful to approach the problem from the perspective of how to do it right rather than what you can't do if you implement it wrong. I would ask anyone who wants to get involved in this discussion to do the research if you don't have extensive personal experience like I do. And I would argue that if this technology didn't do something useful then it wouldn't be a standard part of every major MTA.

Hi Wrs1864,

Might I make a suggestion. Why don't you address your concerns about callback verification by working on the implementation section and making suggestions about ways to reduce the number of callbacks. I think that everyone agrees that the fewer number of callbacks the better. I have, based on issues you raised, made suggestions about using other technologies that are less expensive, faster, that should be used to screen first, before using callback verification. Why don't we work together on this and make it technically correct?

For example, I process some 10 million email attempts a day of which maybe 400k are real emails. Here's the order I use to determine if it's spam or ham.

1. Fake MX - nolisting
2. Pipelining Traps
3. Syntax Tests (HELO, Sender errors etc.)
4. RBLS - Yellow, then white, nobl, and then black - on both IP and host name
5. Recipient Verification
6. URIBLs
7. Sender Verification - Callback Verification - DKIM
8. Spamassassin

Because of this out of the 10m spam attempts a day we only do about 50k callback verifications which is 1/2 of 1%.

Additionally, we test our system to make sure it supports the callback verifications of other systems testing our servers in behalf of the 4000 domains we service. But supporting the verification calls of others we can send information to other servers as to which users are good and which users are fake. Thus spammers are less likely to spoof domains we filter for because.

1. Their fake sender addresses will be detected and rejected by those servers using SAV calls to us. Our system and others as well (I assume) will blacklist an IP address after a number of bad sender and recipient verifications in a short period of time. Thus spammer who fake the domains I filter for get their servers quickly listed on public RBLs so the spammers lose ground by attempting to spoof our domains. The smart spammers are actually blacklisting us so they don't get caught.
2. It reduces NDR backscatter because no one is going to send an NDR report to an email that they verified as fake using callback verification. And the callback is far less expensive to process than NDRs.
3. The more SAV (sender address verification/callback verification) is used the more effective it is. Spammer are pressured to abandon the technique. Yes they would rather use real email addresses but they don't know whats real and what are honeypot addresses and honeypot addresses get them caught as well, sometimes even faster.
4. Keep in mind that once you have their IP blacklisted that you no longer have to do callback verification. And since I run one of the top blacklists when I detect a spam bot that whole planet knows about it. So the 50k callbacks I do allows me to enhance my black list and reduces both callbacks from other servers being spammed from IPs I blacklisted, but reduces NDRs being sent to domains being spoofed. Thus overall the total amount of backscatter is reduced, not increased.
5. People who read this Wiki article about how to implement SAV will do what it recommends and thus reduce the number of callbacks. So if you leave the implementation sections in rather than replace it with your limitations section the number of callback worldwide will be reduced. People will continue to use callbacks as long as MTAs have callback built in and this technology actually works. So getting people to do it right is more effective that trying to bully them out of using it.

So Wrs1864 - I'm asking that you think this through and test it and you'll see the big picture and that I'm right. And if you know about better technology that reduces callbacks and works better, I'd love to hear about it. I will implement any spam filtering technology that actually works. And I want you to know that I am, as with all spam filtering operations, sensitive to the isue of not doing damage to third parties while trying to protect ourselves from the spam problem. Marcperkel (talk) 16:10, 21 February 2009 (UTC)

I just realized that I never responded to this. As per my understanding of WP:NOTHOWTO, WP:NOR, etc., I can not see having a section on "how to implement CBV right" as being appropriate for wikipedia. Wrs1864 (talk) 11:50, 23 February 2009 (UTC)

dealing with this

OK, I'm losing my patiences. First, for the last time, stop accusing me of various things. As I have said many times before, I don't even know who runs backscatter.org, let alone have anything to do with them.

As explained by AndrewHowse, an "how to implemention" type section is in violation of WP:NOTHOWTO. Marc Perkel, you can not publish your own ideas about spam filtering here, that would be in volation of WP:NOR and WP:NOTSOAPBOX. Wrs1864 (talk) 20:16, 21 February 2009 (UTC)

OH, I did some digging, I think you are referring to "backscatterer.org" rather than "backscatter.org". Either way, I have nothing to do with them. Wrs1864 (talk) 20:40, 21 February 2009 (UTC)

AndrewHowse removed your limitations page as have I, It seems the consensus is with me. And I have reality on my side. I'm right and you are wrong. I have invited you to work with me on implementation but I'd be somewhat satisfied with it reverting to Andrews version that removes you edits and mine. The problem with your limitations section is that you are just plain dead wrong.

I'm an expert in this field. I'm implementing callback verification for 4000 domains. [[User:Wrs1864|Wrs1864] what's your expertise in spam filtering? Marcperkel (talk) 00:18, 22 February 2009 (UTC)

My experience is irrelevant since wikipedia is not based off of us creating original content, but based off of information from reliable sources. Anything that I would say based off of "in my expert opinion, ..." would violate WP:OR. AndrewHowse removed a large chunk of stuff based off the WP:NOTHOWTO policy, of which the limitation section is not part of. I suspect that if he thought that the limitation section was, actually, "how to" stuff, he would say so. Please leave the article as it was for 2 years until such time as a consensus can be reached in the talk page. Wrs1864 (talk) 01:15, 22 February 2009 (UTC)

I think this experience is relevant because your limitations section is clearly just plain dead wrong. There may be an argument that my implementations section should be removed too but my implementations section actually addresses many of the concerns you raise in your limitations section. Clearly you don't use the technology and you know nothing about it. I'm one of the foremost experts on the subject on the planet and experience and knowledge does count. AndrewHouse removed your limitations section and I agree with that. I notice you are also removing my external references to Exim, Postfix, and Sendmail as well as another article abut the technology that I linked to so you are clearly trying to twist the article to discourage the use of a technology that you don't like. Marcperkel (talk) 06:07, 22 February 2009 (UTC)

Please read WP:EXPERT and please stop making assumptions about me. When you make false claims about me, I have to work harder to not automatically dismiss everything you say. AndrewHowse did not object to my restoration of the limitations section, he asked for inline references which I added. The postfix/exim links are still there as inline references. The circleid article, as I explained above, is not about this technique, it is about challenge/response. It is important to not only read the original source, but to read the replies. Wrs1864 (talk) 12:36, 22 February 2009 (UTC)

SPF and Callback Verification

SPF has nothing at all to do with callback verification. I removed that section because it is an unrelated topic. Unless you can show me an example of how someone can do this. If you can I would be very interested in it. Otherway it is totally unrelated to verifying individual email addresses. Marcperkel (talk) 06:16, 22 February 2009 (UTC)

As per the paragraph, you have to use the %l or %s macros. For example, an SPF record of example.org TXT "v=spf1 exists:%{l}._cbv.%{d} -all" will, if you have your DNS set up correctly, will succeed if the local part for exists on example.org and fail otherwise. Wrs1864 (talk) 12:19, 22 February 2009 (UTC)

Addressing the Limitations Section Point by Point

Thank you for commenting on specific issues. Most of these objections are in the form of "but exim/postfix do it right", which is somewhat irrelevant here since this article needs to describe the technique, rather than what specific implementations do right or wrong. For explaining the technique, an example form one implementation is fine to cover the subject. On the points that I do not comment on, please assume that I think the limitation is appropriate here. Wrs1864 (talk) 13:10, 22 February 2009 (UTC)

The documentation for both postfix and exim caution the use^[1][2] of this technique and mention many limitations to SMTP callbacks. In particular, there are many situations where it is either ineffective or causes problems to the systems that receive the callbacks.

You start with misleading information and a wrong and biased conclusion.Marcperkel (talk) 07:26, 22 February 2009 (UTC)

Some regular mail exchangers do not give useful results to callbacks:

Most do return useful information.Marcperkel (talk) 07:26, 22 February 2009 (UTC)

Servers that reject all bounce mails (contrary to the RFCs).

Exim returns information as to what phase rejected the email. So email rejected after the MAIL FROM can be distinguished from the RCPT TO.Marcperkel (talk) 07:26, 22 February 2009 (UTC)

To work around this problem, postfix uses either the local postmaster address or an address of "double-bounce" in the MAIL FROM part of the callout. This work-around, however, will fail if Bounce Address Tag Validation is used to reduce backscatter.

Exim lets you set specific senders as well. If you do this you definitely should use with care and expect that the server you are verifying might verify you. Most people wouldn't use this unless they really knew what they were doing.Marcperkel (talk) 07:26, 22 February 2009 (UTC)

Callback verification can still work if rejecting all bounces happens at the DATA stage instead of the earlier MAIL FROM stage, while rejecting invalid e-mail addresses remains at the RCPT TO stage instead of also being moved to the DATA stage.^[1][2]

If you are going to reject all bounce messages then doing so at the DATA stage would make your server SAV compatible. However if you reject all bounce messages then you'll never get info if the other server rejects one of your messages (false positive).Marcperkel (talk) 07:26, 22 February 2009 (UTC)

Servers that accept all e-mail address at RCPT TO stage but reject invalid ones at DATA stage. This is commonly done in order to prevent directory harvest attacks and will, by design, give no information about whether an e-mail address is valid and thus prevent callback verification from working.^[1]

Servers configured this way invite spammers to spoof their domains because all email addresses pass sender verification. This results on the domain getting more SAV calls (all returned good) and will result in more NRD backscatter as the other spam filtering rules bounce the message. A better solution would be to use honeypot addresses that spammers can harvers, will appear to be valid, but will get the spammers servers blacklisted.Marcperkel (talk) 07:26, 22 February 2009 (UTC)

Servers that accept all mails during the SMTP dialogue (and generate their own bounces later).^[1] This problem can be alleviated by testing a random non-existent address as well as the desired address (if the test succeeds, further verification is useless).

Exim also supports random callout testing.Marcperkel (talk) 07:26, 22 February 2009 (UTC)

Servers that implement catch-all e-mail will, by definition, consider all e-mail addresses to be valid and accept them. Like systems that accept-then-bounce, a random non-existent address can be detect this.

Yes - the random function prevents axcessive callouts.Marcperkel (talk) 07:26, 22 February 2009 (UTC)

The callback process can cause delays in delivery because the mail server where an address is verified may use slow anti-spam techniques, including "greet delays" (causing a connection delay) and greylisting (causing a verification deferral).^[1]

This is true. Delays should be implemented so as to be SAV friendly. Do the delay after DATA is received.Marcperkel (talk) 07:26, 22 February 2009 (UTC)

If the system being called back to uses greylisting and returns a 4xx response code instead of a 5xx response code when given an invalid e-mail address, the callback will return no useful information until the greylisting time has expired.^[3]

This is a side effect of improper use of greylisting. Greylisting has its issues as well.Marcperkel (talk) 07:26, 22 February 2009 (UTC)

Some e-mail may be legitimate but not have a valid "envelope from" address due to user error or just misconfiguration. The positive aspect is that the verification process will usually cause an outright rejection, so if the sender was not a spammer but a real user, they will be notified of the problem.

This is true if you use SAV for outright rejection. It is better to combine verification with other conditions and exception lists.Marcperkel (talk) 07:26, 22 February 2009 (UTC)

If a server receives a lot of spam, it will do a lot of callbacks and if those addresses are invalid, the server will look very similar to a spammer who is doing a dictionary attack to harvest addresses. This in turn might get the server blacklisted elsewhere.^[1]

This just isn't true. If implemented correctly one would blacklist the source IP after several bad emails. Spambot are easilly detected by other means that SAV so it won't result in callbacks.Marcperkel (talk) 07:26, 22 February 2009 (UTC)

The risk of being put on a DNSBL is explicitly noted in the postfix documentation. I'll update the text to note that lots of spam does not always cause lots of callbacks. Wrs1864 (talk) 13:10, 22 February 2009 (UTC)

Every callback places an unasked for burden on the system being called back to, with very few effective ways for that system to avoid the burden. In extreme cases, if a spammer abuses the same sender address and uses it at a sufficiently diverse set of receiving MXs, all of which use this method, they might all try the callback, overloading the MX for the forged address with requests (effectively a Distributed Denial of Service attack).

This is bull. First of all spammers abuse everyone and create unwanted traffic. But using SAV actually REDUCES the total unwanted traffic in that it reduces NDRs which are worse than callouts and it helps feed bad IPs into RBLs that tell other servers the IP is bad which reduces callbacks and NDRs from other servers later spammed. The net result is the spammer fails.Marcperkel (talk) 07:26, 22 February 2009 (UTC)

CBV does not reduce the unwanted traffic. All backscatter that goes to email addresses that are invalid will create an SMTP session exactly the same as a CBV, so at best it is the same load, at worst, it is a CBV when no backscatter would have happened. All backscatter that goes to an email address that is valid will pass CBV and therefore CBV doesn't help to reduce any backscatter that would be created. Most systems that do CBV do not feed DNSBLs, and using CBV is not required to feed DNSBL, so that is an independent action. Wrs1864 (talk) 13:10, 22 February 2009 (UTC)

Can we replace "(effectively a Distributed Denial of Service attack)" with "(a Type of Distributed Reflection Denial of Service)"? DDOS normally implies the attacking hosts are under the control of the attacker, while in DRDOS the hosts are tricked into 'attacking' the victim? (Anonymous)

Callback verification has no effect if spammers spoof real email addresses.

Not true. Honeypots are real email addresses so spammers who harvers email addresses in order to avoid the penalties of SAV end up spamming from honey addresses instead. Spoofing a honeypot is easier to catch that spoofing an address that doesn't exist.Marcperkel (talk) 07:26, 22 February 2009 (UTC)

Honeypot addresses are another technique that is independent to this article. It cuts both ways, though, since neither spammers nor the system doing a CBV can always tell if the email address is a honeypot or not, so making a callback with a honeypot address can, as mentioned above, get you placed on DNSBLs. Wrs1864 (talk) 13:10, 22 February 2009 (UTC)

So these "limitations" actually are not limitations, but rather just bad information that is just plain dead wrong.Marcperkel (talk) 07:26, 22 February 2009 (UTC)

They look accurate to me, and they are sourced. Wrs1864 (talk) 13:10, 22 February 2009 (UTC)

What looks accurate to you has nothing to do with reality Wayne. You should defer to the experts rather than pick and choose articles that support your point of view. Marcperkel (talk) 16:08, 22 February 2009 (UTC)

Marc, I do not think you are any more of an "expert" than I am on this subject. Being an expert, however, is not the critical part of creating a wikipedia article, so I have tried to avoid a "who is the bigger expert" line. I have requested more formal help with this article as I can not seem to explain wikipedia policies well enough. Wrs1864 (talk) 18:00, 22 February 2009 (UTC)

References

1. Postfix Address Verification Howto
2. Exim Callout verification
3. The Next Step in the Spam Control War: Greylisting

status of outside help

As per my comment on the latest revert, I have been investigating how to get more outside help on this article. In particular, I have again re-read and investigated Wikipedia:Dispute resolution. It appears that "editor assistance", "third opinion" and "requests on the relevant noticeboard" have been tried. I was looking into the "request for comment" option, but that appears to be aimed at disputes between more than two editors, while the "formal mediation" looks very heavy-weight. I have ask RegentsPark for help again as he offered a third opinion earlier. I guess asking for another third opinion is an option. If nothing turns up within a day or so, I'll probably proceed with the "request for comment" option.

Also, to be clear, I do *not* think the current article is the only option/format/valid text, just that it best represents the WP:CONSENSUS.

Dispute resolution

If I may, I'd like to ask a few questions to get some clarity on your positions before the dispute is escalated to a request for comment.

1. (For Marcperkel) Are you against having a limitations section entirely, or do you think you can accept the existence of one and work with Wrs1864 on the wording? If the former, then a request for comment should be the immediate next step.
2. (For Wrs1864) Several limitations listed by you lack inline citations. Can you provide inline citations and, if not, are you willing to see them removed from the article?

• As WP:V says, "Verifiability is one of Wikipedia's core content policies.", so in short, I will not to object to removing anything that can not be backed by a WP:Reliable sources. That said, there is more than a little wiggle room here (WP:IGNORE in extreme cases), and as WP:V says, stuff that isn't likely to be challenged doesn't need an explicit reference. So, for example, the "catch-all" case is "obvious" and Marcperkel stated above that it was a limitation and the technique mentioned in the article to work around it was accurate. Does it really need a cite? If pushed, I won't object to having it deleted, but I don't think it needs to be. There is actually a larger problem with all the references here because this whole topic is not a hugely notable topic. Most of the citations are from primary sources (IETF RFCs, program doc, etc) rather than from than reliable secondary sources (WP:PRIMARY). If pushed, should this whole article be deleted for lack of high quality referenced? I would say no, but I could see a wiki-lawyering AfD based on that. Some of the items I can easily find references based off of blogs from noted experts in the field (e.g. SpamAssassin's author, Justin Mason's comments on CBV), and WP:SPS says that such a blog may be acceptable. The problem here is that "experts" in the field of spam/email are a dime a dozen, both Marcperkel and I can legitimately claim to be one, and I don't think it would be appropriate for either of us to just go publish a blog to get around WP:NOR. Is Verizon’s Spam Blocking Problem a reliable source? According to alexa, onlymyemail.com has a ranking of 244,180 vs 585,112 for Marcperkel's company, junkemailfilter.com. I decided not to add it because I didn't think it was reliable enough. Would several "weak" sources improve the article, even if they didn't make up for one solid one? Even at this level of quality for sources, I wasn't able to find ones that were really positive about CBV. Would it be good to add some anyway just to provide some balance? Sorry for answering your question with a bunch of questions of my own. Wrs1864 (talk)

1. (For Marcperkel) Are you willing to let properly sourced limitations stay on the page? If there are workarounds for a limitation, can you provide a source for the effectiveness of the limitation?

--Regent's Park (Rose Garden) 14:55, 23 February 2009 (UTC)

First question for me: If you look at my Implementations section that Wrs1864 keeps deleting (I'll post below) it addresses the issues in the limitations section that are actually real issues. However none of the issues are what I would call "limitation" but reather implementation issues that can be worked around. It not a limitation as much as doing it correctly. Wrs1864 raises some issues that are valid. But they are all solvable. So I think posting the solution is a better way to go.Marcperkel (talk) 18:10, 25 February 2009 (UTC)

Second Question for me: In general I oppose the use of the word "limitations" as it implies a problem without a solution. I agree that some of the issue raised are in fact real if Callback verification is done wrong. However MTAs that implement this technology do it right and one should caution users implementing this not to do a callback on every email message but rather use other methods for testing spam first before using callbacks. Marcperkel (talk) 18:10, 25 February 2009 (UTC)

Articles Supporting Callback Verification

• http://www.circleid.com/posts/sender_address_verification_solving_the_spam_crisis/

As mentioned twice above, this article has nothing to do with SMTP callbacks, this is a challenge/response system. Wrs1864 (talk) 23:21, 25 February 2009 (UTC)

• http://www.sendio.com/index.php?content=technology&sub=sender_address_verification&id=2

See the previous reference. This is just a link to the company's website. Wrs1864 (talk) 23:21, 25 February 2009 (UTC)

• http://slett.net/spam-filtering-for-mx/smtpchecks.html

There isn't a huge amount here about SMTP callbacks. I'm not sure that this is really that positive about it, for example it talks about AOL will blacklist you if you do SMTP callback requests to them. I'm also not sure if this qualifies as a reliable source. Wrs1864 (talk) 23:21, 25 February 2009 (UTC)

• http://smfs.sourceforge.net/smf-sav.html

This is just a non-notable implementation, it doesn't really talk about the technology. Wrs1864 (talk) 23:21, 25 February 2009 (UTC)

• http://www.imgate.net/?page_id=98 - neutral on subject

Again, imgate doesn't appear to be that notable, it doesn't even get a mention on wikipedia for example. It also isn't that positive, it starts off saying: "Sender Address Verifiation, “SAV”, is a controversial anti-mail-abuse policy." Like links I mentioned earlier, I'm not sure this qualifies as being a reliable source. Wrs1864 (talk) 23:21, 25 February 2009 (UTC)

• http://razor.occams.info/code/spf/

This doesn't have anything to do with SMTP callbacks, it uses things like SPF to verify the domain part. (Yeah, SPF can, in theory, verify the local part too with the %l macro, but that is rarely done.) Wrs1864 (talk) 23:21, 25 February 2009 (UTC)

—Preceding unsigned comment added by Marcperkel (talk • contribs) 18:30, 25 February 2009 (UTC)

Articles opposing callback verification

Callback Verification is very political and people have taken a strong stand against the technology. Much of the opposition is in my opinion almost religious in nature in that isn't not based on reality. My point here is that there is a class of people who oppose this technology and it's political and it's questionable where it fits into a Wikipedia article.

• http://spam-vs-freedom.blogspot.com/2007/06/sender-address-verification-we-told-you.html
• http://www.backscatterer.org/?target=usage
• http://www.apews.org/?page=index
• http://www.campaignfoundations.com/aggregator/sources/2?page=1 —Preceding unsigned comment added by Marcperkel (talk • contribs) 18:57, 25 February 2009 (UTC)

All spam solutions seem to have have rabid supporters and detractors, I don't think we should judged things by extremists. I don't think the objections most people have with SMTP call backs is political. I don't think any of these qualify as being reliable sources. I put a link into the backscatterer.org site in the article because it is ok to source their claim that they blacklist people. I don't know about using them to back claims about the technique itself. Wrs1864 (talk) 23:21, 25 February 2009 (UTC)

Agreed - it does seem that many people are "religious" about some technologies when it comes to filtering spam. Something that I haven't been able to understand. In my mind it's all about what works. I use dozens of different technologies in filtering spam. However the article isn't the place to debate this. That's what I haven't put in my opinion into the article about how effective it is. I'm focusing on what it is and I agree with Wrs1864 that there are issues that are important wen implementing this technology that are significant and can impact people like Wrs1864^{[citation needed]} who runs an email server on a DSL line^{[citation needed]}. Where we disagree is that he wants to discourage the use of the technology^{[citation needed]} and I want to explain how to use the technology so that the load on third parties isn't significant or reduced. Personally I'm not even advocating people use this technique because you have to be very knowledgeable to do it correctly. If there should be a warning perhaps it should be "for experts only". I personally find it effective, but I wouldn't recommend it for novices. I did a LOT of work to get it right. Perhaps this talk page will be more informative than the article. Marcperkel (talk) 02:51, 26 February 2009 (UTC)

Marc, until you stop your constant incorrect claims about what I think/do, I'm done talking to you. Wrs1864 (talk) 03:23, 26 February 2009 (UTC)

Correct me then - what part is incorrect? Marcperkel (talk) 04:26, 26 February 2009 (UTC)

Proposed Implementation Issues

In implementing callback verification it is important to keep in mind that each callback creates some load on the server of the domain being verified. If a spammer is spoofing a domain and the domain is hosted on a low speed connection or has other resource limitations it could significantly impact that server's ability to send and receive email. It is therefore important to use this technology lightly so as not to inadvertently cause problems for innocent third parties. Thus in order to increase the speed of your spam filtering and reduce the load of call outs on other servers, callback verification should be used after other spam filtering technologies have been tried.

Several Mail Transfer Agents such as Exim, Postfix and Sendmail support callback verification technology. But callback verification is more process and bandwidth intensive that other spam fighting technologies such as DNSBLs, checking HELO, and other types of more efficient checks. Another example is to verify the recipient first before verifying the sender so if the recipient is invalid the sender need not be checked.

Developers of callback verification software should cache results of recent callbacks so that a callback isn't performed for every message received. It is good practice to keep the volume of callbacks down so that the spoofed domain isn't burned with responding to excessive callback requests.

Proposed Implementing Callback Verification Support

Callback verification support allows other email servers to query your server to verify if an email address is actually valid. Supporting these callbacks has several advantages.

• It allows other email servers to determine if the sender is good and reject email from spoofed senders that don't exist. This helps other email servers to blacklist spam sources so that spammers who use your domain for spoofing get blacklisted.

• It reduces backscatter because email can be rejected at connect time as an invalid sender rather than later generating a bounce message that is wrongly returned to your server.

• Spammers tend to avoid using spoofed domains that support callback verification because they are less likely to successfully deliver their spam and more likely to get their spam servers blacklisted. Spammers tend to spoof domains that seem to accept email destined for any email address.

To support callbacks from other servers so that they can verify email addresses for your domains.

• Wildcard addresses or catchall addresses should be avoided because if your email server will accept any email address (*@yourdomain.com) then it both attracts spam and attracts spammers to spoof your domain when spamming others.

• Avoid rejecting email from empty senders <> at the MAIL stage. If you are going to reject all bounce messages it is better to do it at the DATA stage.

• Reject bad recipients at the RCPT stage, not the DATA stage.

• Use a 5xx response, not a 4xx response, to reject bad recipients.

• Avoid using SMTP delays and greylisting on verification calls.

Comment

Well, both responses seem reasonable to me which makes things look hopeful. I agree that the title 'Implementation Issues' is a workable solution since it is effectively the same as limitations without the implied negative connotation. However, the text above lacks appropriate citations and, though Wrs1864 is willing to overlook that in some cases, the actual uncited text will always be a sticking point. My suggestion is along the following lines:

1. Label the section 'Implementation issues'.
2. Use the cited content from Wrs1864's existing limitations section as a starting point (because it is well-cited) and work the workarounds suggested in the text by Marcperkel into the text. Perhaps take each item and agree on the wording (as long as the wording does not stray too far from the cited references). Marcperkel, it would be much better if you could add some citations for the workarounds, even general ones would do. I do realize that a lot of this is seat of the pants stuff but references are always good and you do have a declared COI here so you need to take that extra careful step. For the unreferenced stuff, see point 3.
3. After you're more or less (or even less as long as you're ok with the structure of what's in the article!) agreed on the wording, submit the article for a peer review to WP:Wikiproject Computing, where the uncited portions of the agreed upon text can be appropriately vetted. This step is very important if ANY unreferenced material remains in the section.

So, is this a workable plan? If not, I suggest an RfC that addresses the title as well as the content of the section. Either way, I'm adding a WP:Wikiproject Computing template to the article so that a broader and more knowledgeable community is (slowly) made aware of this article.--Regent's Park (Rose Garden) 19:25, 25 February 2009 (UTC)

My wording could use some work. I would welcome a better writer editing it adding citations. Marcperkel (talk) 21:18, 25 February 2009 (UTC)

Thanks for the comments here.

As far as the name of the section goes, I am quite willing to change the name. I changed it from "drawbacks" to something that used "implementation" to "limitations" trying to find a more neutral term. I proposed "limitations" on the talk page because it was what the postfix doc used. A "implementation issues" section is fine with me.

Just to be clear, I don't have a problem with renaming the "limitations" section to "implementation issues", as per Regentspark's suggestion above. I forgot that the name of one of the sections that Marcperkel proposed was named "implementation issues" and I do *not* think Marc's section, as proposed above, is appropriate because it contains such HOWTO lines as "It is therefore important to use this technology lightly..." and "Developers ... should cache results ...". I could also see the name of the section being things like "implementation details". The outline of the process earlier in the article gives the basic idea, but the devil is in the details. Wrs1864 (talk) 16:25, 27 February 2009 (UTC)

I have three basic problems with the proposed text, most of these objections were put into edit summaries before. First, it violates WP:NOTHOWTO. We can't tell people how to implement things. I raised concerns about this very early on, and AndrewHowse deleted it because of this "HOWTO" problem. Secondly, much of it duplicates later text. Finally, it is all unsourced. For example, I didn't see anything in the links you gave above, or any other links I found, that SMTP callbacks reduce backscatter, instead when backscatter is brought up, it is that SMTP callbacks create it. I'm not sure I can really help rewriting it. When you first added this text, and I went through and removed all stuff that was duplicate, unsourced, or HOWTO, I ended up with nothing. I suspect that it would be most productive if I didn't try with this part.

RegentsParck: Could you give us some feedback on what you think would qualify as a reliable source? I asked about it earlier and I have mentioned above that I have a lot of doubts about the links (both pro and con) that Marc found. There is lots of discussions on NANAE, spam-l, blogs, etc. that talk about SMTP callbacks, many of them from noted experts, but I've stayed away from them. Wrs1864 (talk) 23:21, 25 February 2009 (UTC)

For what it's worth, I am a notable expert on the subject. I run a medium size spam filtering operation processing 5-10 million messages a day for some 4000 domains and I actually implement callback verification so I have a LOT of personal experience in all the quirks and side effects of the technology. If you google my name, Marc Perkel and spam you'll get about 19,700 hits. I run one of the world's biggest RBL lists. And I'm on 2 advisory boards for ICANN. If you want to find other notable experts that would be great. But I suggest finding someone who is implementing the technology rather than someone who dislikes it because people who are using it know more that people who are not using it. And Wrs1864 concerns about side effects of the technology, which I agree some of which are real issues, can be best be addressed by having some explanation as to how to avoid these problems. Marcperkel (talk) 02:28, 26 February 2009 (UTC)

(outdent) Unfortunately, one of the peculiar things about wikipedia is that expertise is given less weight (a lot less) than reliable sources. There are good reasons for this since the actual identities of users is unknown and so there is no community that can validate a person's expertise. Expert knowledge that resides only in a single person is something that wikipedia tries to avoid because, without adequate peer review - stress testing so to speak - it is impossible to judge the accuracy of that knowledge, especially under boundary conditions. The best way to use your expertise is to guide the structure of articles and to point others to the sources that you use in your work. (I also agree with Wrs1864 that your constant claims about what he thinks and does is unconstructive, to put it mildly.)--Regent Spark (crackle and burn) 17:23, 26 February 2009 (UTC)

Wrs1864, typically a WP:RS should be peer-reviewed which these sources are not. However, if it is correct that these two (postfix and exim) are the only or the major methods for callback verification and that the referred to websites are the places to go for information (somewhat like www.perl.com), then they are fine. --Regent Spark (crackle and burn) 17:28, 26 February 2009 (UTC)

(I added the article to Category:Computing articles needing expert attention]] in the hope that someone comes along to help you guys. --Regent Spark (crackle and burn) 17:33, 26 February 2009 (UTC))

OK, so it sounds like the current references of RFCs, exim and postfix are fine, which I agree with. They are both very major Mail Transfer Agents (MTAs), and they both directly implement callbacks. But, what about many of the other sources mentioned above? Of all the ones mentiond, the only ones I feel mildly comfortable adding are http://taint.org/2007/03/16/134743a.html, which was written by Justin Mason. He is the primary author of SpamAssassin, a spam filter that both Marc Perkel and I use, along with dozens of other commercial products based on it and thousands of direct installations. Does that qualify under [[WP:SPS[[? The other is http://www.circleid.com/posts/sender_address_verification/ written by John Levine? (Click the link to show that he is an established expert on spam.) I mentioned a link from onlymyemail.com, and Marc Perkel listed a whole bunch. Do these qualify under WP:SPS? I tend to think not because they are not established experts in the field.

Postfix and Exim are not the only MTAs that can do CBV, others can do it via third-party addin packages (sendmail has like 3 or 4 of these plugins). Verizon used to do CBV, I think they were using Sun Java System Messaging Server. The article, as currently written, covers the general topic. I suppose we could add a "comparison" section that lists the different MTAs, whether they have CBV built in, which techniques they use, etc. Wrs1864 (talk) 16:06, 27 February 2009 (UTC)

If the writers are not acknowledged experts, then generally you can't use them as WP:RS. However, that doesn't mean you can't cite them at all (as long as the cited material is not controversial and is not meaningfully! challenged). But, I really think you need to get a third editor with some knowledge about the area involved. You could, for example, ask User:Jehochman for help or he could direct you to someone who can judge the quality of the references and help resolve the differences that you and macperkel have. --Regent Spark (crackle and burn) 18:07, 27 February 2009 (UTC)

I believe, as I outlined above, that both Justin Mason and John Levine are widely acknowledged to be well-respected experts in the field of email spam. I guess I'll go ahead and add them in and see if they are meaningfully challenged. I'll ask Jehochman for ideas. I did ask User:Joy to review this article as he(?) was the one who originally wrote most of the "limitations" section, but otherwise I have tried to avoided even appearing to be canvasing for experts or "rallying the troops", there is NANAE for that kind of flamewar. Thanks again for your help here. Wrs1864 (talk) 19:10, 27 February 2009 (UTC)

Can somebody summarize what this dispute is about, setting aside the personalities? Perhaps pose the issues as questions. For what it is worth, Levine's blog appears to be a reliable source. (I was invited to comment here.) Jehochman ^Talk 22:31, 27 February 2009 (UTC)

Levine make 5 points, all of which are flawed. I'll address them in order.Marcperkel (talk) 10:18, 28 February 2009 (UTC)

• Just because it doesn't work on some systems doesn't mean it doesn't work at all. It is in fact very useful on the systems where it does work, which is most of the world. No one does a callout for every email address presented. My spam filtering system does less than 1/2 of one percent and many of those are cached. You also ignore false failures by ignoring servers that reject all empty senders. No one in the real world implements callback the way he is implying.Marcperkel (talk) 10:18, 28 February 2009 (UTC)
• His second point contradicts his third point that states 90% of sender addresses are forged.Marcperkel (talk) 10:18, 28 February 2009 (UTC)
• His third point is just a bare allegation of his opinion that callouts are abusive.Marcperkel (talk) 10:18, 28 February 2009 (UTC)
• His 4th point that callouts are likely to get you blacklisted is dead wrong. I personally am making 50k callouts a day and not getting blacklisted.Marcperkel (talk) 10:18, 28 February 2009 (UTC)
• And finally that callouts are discredited is untrue because every major MTA has built in callout features or third party callout enhancements. My servers receive thousands of callouts a day and I use the data to white list servers. (Spammers don't do callouts - only spam filters do callouts)Marcperkel (talk) 10:18, 28 February 2009 (UTC)

Marc, I believe the appropriate places to debate John Levine would be on the comment section of that article, on NANAE, spam-l, in private emails, on the IETF's Anti-Spam Research Group, etc. I do not think it can be productively debated here. Wrs1864 (talk) 12:12, 28 February 2009 (UTC)

I'll try to summarize. This is largely a dispute between Marcperkel and me (Wrs1864) with no other active editors. Claiming to speak for others has become a minor sore point, so I'll try to summarize my point of view. I believe the article should discuss the callback technique, and include not just a very basic sketch, but also the various techniques needed to work around corner cases, how it interacts with other anti-spam techniques, etc. I believe the content that was in "limitations" section was important, but I'm not tied to either that exact wording or format. I also think that it needs to have a neutral point of view and be well references. It is my understanding that WP:NPOV does not mean that there must be equal amounts of positive and negative things to say, but that the article should have all significant views that have been published by reliable sources. I think this article could use more active participants because it is hard to reach a consensus with just two. Finally, I consider both of us to be minor experts in this area. I think being an "expert" is somewhat irrelevant to wikipedia, but it can result in firm and strong opinions. Wrs1864 (talk) 12:12, 28 February 2009 (UTC)

Being an expert does matter. Experts tend to know more about a subject than non-experts. I think it matters to get it right. Additionally 2 admins have stepped in and both have told you to get rid of the limitations section. I'm tired of fighting with you over the implementation section. So we'll just leave Andrew's version that just says what it is and leave out all the extraneous crap. Anyone who wants to read about the controversy can read this talk page. Marcperkel (talk) 06:46, 1 March 2009 (UTC)

(outdent) I'm sorry, I'm confused. Which admins said to get rid of the "limitations" section and where did they say it? User:Joy is an admin, and he was the one who originally added the section here. User:RegentsPark is an admin and here he said "Clearly, there should be a limitations section." The only other admin that I know of who has commented is User:Jehochman, and he just asked for a summation and said that "Levine's blog appears to be a reliable source." here.

Ever since your last revert to remove the "limitiations" section, I've been waiting for you to start an RfC. As Regentspark said here that "If the former (you can not accept a "limitations" section), then a request for comment should be the immediate next step." Are you going to do the RfC, or should I? Or, should proceed along the lines of Regentspark's most recent comments of starting with the "limitations" section, rename it to "implementation issues", and merge your "implementation issues" into it, along with submitting it to the WP:Wikiproject Computing or review? Wrs1864 (talk) 11:45, 1 March 2009 (UTC)

I think what you don't realize is that I've already requested 3 times dispute resolution to end your edit war and most of these other editors here are admins who responded to my requests. It's over. It's been resolved. It's like Andrew said and you said, not the place to write a howto. And it's not the place for you to insert your dead wrong section on limitations. The article states what it is. It's done. I don't know how many people or how many times it takes for you to get it. You can't post your politics in the article. The article is done. The controversy is solved. Time for both of us to go away. Marcperkel (talk) 13:58, 1 March 2009 (UTC)

Ultimately - Andrew was Right

AndrewHowse (talk) was correct in his relevant polices section (above). The article should be about what it is, not why people hate it or how to do it. If people want to know the controversy they can read this discussion page. I'm reverting it back to Andrew's version. Marcperkel (talk) 09:49, 28 February 2009 (UTC)

If there is a controversy surrounding the protocol, and there are reliable sources reporting on that controversy, our article should summarize the main views in proportion to their relative prevalence. The article does not need to come to a conclusion about who is right or wrong. Jehochman ^Talk 17:31, 1 March 2009 (UTC)

There is a lot of controversy surrounding this protocol, I think the version of the article before Marc's most recent revert represented the balance that you described. Wrs1864 (talk) 20:37, 1 March 2009 (UTC)

I think the controversy can stay here in the talk pages and leave the article be about what the technology is. The controversy is more religious than technical and really has no place in the article itself. This is a technical article and in technology reality does matter. Ultimately AndrewHowse is correct. And it ends the edit wars. Marcperkel (talk) 22:10, 1 March 2009 (UTC)

Are any of the "Limitations", "Implementation issues" or "Implementing Callback Verification Support" appropriate?

All three sections are currently deleted from the article, they can be found at:

Limitations

Implementation Issues

Implementing Callback Verification Support

The "Limitations" was in the article for approximately 2 years. The "Implementation" sections were added by User:Marcperkel about a month ago. There were were some disputes over the content of these new sections and whether they duplicated the existing "Limitations" section, and whether they were accurate. User:AndrewHowse deleted all three sections on the basis of WP:NOTHOWTO. I re-added the "Limitations" section on the basis of it not being a HOWTO and that it provided important information that was documented in the references section. As a third opinion, User:RegentsPark stated that "Clearly, there should be a limitations section.", and later that "If the former (Marc Perkel can not accept a "limitations" section), then a request for comment should be the immediate next step." Marc Perkel then deleted the limitations section, resulting in this RFC.

My position is that I think the contents of the Limitations section should be included in the article because it provides important information about the details of this technique and known limitations. That not having this content violates WP:NPOV since there are significant controversies about this technique and as per WP:WEIGHT, these points are presented in the Limitations section on balance with reliable sources.

I think the "Implementing Callback Verification Support" is redundant, voilates WP:NOTHOWTO and contains unsourced opinions. All new information was merged into the Limitations section quite a while ago.

I think the "Implementation issues" violates WP:NOTHOWTO and contains unsourced opinions, but could probably be rewritten to be encyclopedic. Wrs1864 (talk) 21:09, 2 March 2009 (UTC)

So how many people have to tell you NO before you take NO for an answer? Marcperkel (talk) 21:58, 2 March 2009 (UTC)

Seeing as you are the only one so far who thinks that a Limitations section isn't needed, I guess the answer is "more than one". Wrs1864 (talk) 22:14, 2 March 2009 (UTC)

If you think I'm the only one here that thinks that the Linitations section isn't needed you aren't reading this discussion page. Editor/Admin User:AndrewHowse reverted your limitations page. Wikipedia is not the place for you to promote your anti-callback agenda. Marcperkel (talk) 04:51, 3 March 2009 (UTC)

AndrewHowse explicitly told you he was not an admin, please read what he writes. AndrewHowse did not object to the Limitations section, he asked for inline citations, which I added. Please read what he writes. Admin Jehochman explictly said that if there is a controversy about this, it needs to be on the article in accordance with WP:NPOV. The "limitations" section is not anti-callback, you yourself have said that many of the things are accurate. Just because you have a WP:COI to promote callbacks does not mean you should be able to have all discussions of controversy removed. Wrs1864 (talk) 11:22, 3 March 2009 (UTC)

Is Reality Important Here?

Some people seem to be arguing that reality, accuracy, facts and such are not important. I believe that is important to get it right. This isn't a debate like abortion over when life begins that reference subjective values. This is an area where facts are testable and if someone makes an assertion about a supposed limitation then they should be able to produce real life examples and statistics to back up their positions.

I have to object to assertions that being an expert doesn't matter and that people with real experience don't count. And even getting it right doesn't matter. As a reality guy I have to object to these kinds of assertions. I support anything that is provable in the real world. Marcperkel (talk) 19:31, 3 March 2009 (UTC)

Again, please read wikipedia policies. WP:V says in the very first sentence: "The threshold for inclusion in Wikipedia is verifiability, not truth—that is, whether readers are able to check that material added to Wikipedia has already been published by a reliable source, not whether we think it is true." In this particular case, the vast majority of experts in this field do not agree with your position, so any claims that the article does not need a "limitations" section violates WP:UNDUEWEIGHT. Your opinions do not represent the "truth" or "reality", far from it. Wrs1864 (talk) 12:32, 4 March 2009 (UTC)

NO NO NO - STOP IT!

How many people have to tell you that you can't put your bogus limitations section in. This is no place for your damn politics. QUIT DOING IT! Marcperkel (talk) 17:40, 9 March 2009 (UTC)

Again, Marc, you are the *only* one who has said that the "limitations" section is inappropriate. AndrewHowse said that it needed inline citations instead of just footnotes, which I added. Regent's Park said that "Clearly, there should be a limitations section.". Jehochman said that "If there is a controversy surrounding the protocol, and there are reliable sources reporting on that controversy, our article should summarize the main views in proportion to their relative prevalence." This is not "politics", nor it it "bogus". It is needed to main both the spirit and letter of the wikipedia policies. Wrs1864 (talk) 18:08, 9 March 2009 (UTC)

Not true. You've been reversed by several people. You're not being honest here. AndrewHouse removed your limitations section. Another editor here told you to merge it into implementations. And you are just plain factually wrong. You go out and cherry pick references to other people who are also factually wrong ignoring the other sources who are factually correct. You want reliable sources - that's me. I'm one of the big names in spam filtering and I personally am using this and I have the facts. If this didn't work or had the problems you claim no one, including me, would be using it. How many times do people have to remove your limitations section before you go away. You're not in the spam filtering business and you clearly haven't a clue about what you are talking about. Marcperkel (talk) 21:21, 9 March 2009 (UTC)

Marc, you need to provide some sources for your many claims. For example, you claim that I was "told ... to merge it into implementations.", but what was actually said by Regent's Park was "Use the cited content from Wrs1864's existing limitations section as a starting point", which is basically the opposite of what you claimed. So, there should be a limitations section, the name can be changed, but it needs to be there and your "implementations" section should be merged into it if you can provide citations to reliable sources backing up your claims. This isn't "cherry picking", it is straight reading. Wrs1864 (talk) 22:07, 9 March 2009 (UTC)

First of all, I am a source. Second, I provided you with several sources but you keep deleting everything I post and any source I site. You vandalize everything I post. So what gives you the right to remove everything I post and replace it with your garbage? Who do you think knows more about this technology? Someone who is doing it for a living, or you? Explain to me why you should reverse the will of everyone else here? What makes you the judge that your sources are better than my sources. Your work has been reverted by Wikipedia editors who responded to my call to resolve an edit war and you reverse them too. Tell me your qualifications. Marcperkel (talk) 23:54, 9 March 2009 (UTC)

The limitations section is simply not bogus, and this edit is abusive. The information provided in the limitations section is true, informative, and relevant, and censoring it outright like that is against the policy. Much of the same information was available in the article when I last left it (this edit) and I don't see any reason for it to be removed like this seemingly just because of a conflict involving a preceding series of edits. In fact, the updated section is better because it has more references.

That preceding series of edits, in turn, revolved around a text added by Marcperkel which was written in an imperative, personal style, like a HOWTO, and that is simply inappropriate for Wikipedia articles - the encylopedia is here to describe, not to prescribe. Marc, I suggest you take a step back and reexamine some of the policy documents that others have already linked to.

--Joy [shallot] (talk) 10:05, 10 March 2009 (UTC)

Protected

(outdent) USer:Marcperkel, unfortunately, you are not an acceptable source for content on wikipedia. Sources on wikipedia are reliable, third-party, published sources with a reputation for fact-checking and accuracy. All these characteristics of a source must be verifiable because we don't really know who you are. Material that is not published, not verifiable, and not from a verifiable reliable source can be challenged and removed. Of course, your expertise in the matter is welcome but it must be grounded in something other than a declaration of your qualifications and the statement that you're using this. I've put out a reasonable road map for you guys, that you start with the material in the limitations section after renaming it something neutral like 'Implementation issues' and then work together on the wording so that your concern that the text does not imply that callback verification is not workable is duly met. As far as I can see User:Wrs1864 has made a good faith attempt to start this dialogue but you haven't. Based on this view, I'm going to restore Wrs1864s most recent version, protect the page for one month, and request the two of you to make a good faith attempt to build an appropriate 'Implementations issues' section that can then replace the 'Limitations' section. We can revisit this entire issue at the end of one month but I'll unprotect the page for any consensus edits that you both agree on. --RegentsPark (Maida Hill Tunnel) 00:25, 10 March 2009 (UTC)

I have started a sandbox copy of the section so that we have something to work with. See Talk:Callback_verification/sandbox. I know that above we discussed changing the name, which I'm fine with. Regent's Park also said he wanted citations, and I think there are still a few points without some, so we either need to find cites or delete stuff. Again, this whole section was largely User:Joy's version, with other's (including me), modifying it, having you (or anyone one else who steps in) modifying it is fine. Again, I'm not tied to the point-outline type format that User:Joy created, but I do think we need to stick close to wikipedia policies. Wrs1864 (talk) 00:51, 10 March 2009 (UTC)

It all depends on whether or not you think there is such a thing as absolute reality or not. It all depends on whether or not you want to get it right or if you have some other higher standard and testable facts don't matter. Some people believe in objective reality and testable facts. Some people believe that reality is determined by a democratic process. If you have no respect for expertise or factual correctness that you will succeed in your objective of posting it your way. But the information will ultimately be wrong. The bottom line is - does getting it right matter? Marcperkel (talk) 03:58, 10 March 2009 (UTC)

Marc, you keep using words like "reality" and "facts". I do not think they mean what you think they mean. There are reasons why all experts in this field talk about the limitations of callbacks. Getting it right matters a lot to me, which is why I've spent so much time trying to prevent you from corrupting the article so that you can promote the technique your business uses. I'm happy to help try presenting the limitations in a neutral way, that is one of wikipedia's policies, you let the facts speak for themselves. I'm happy to try to help improve the article. I do, however, think the wikipedia policies are well written and well designed and need to be followed. Wrs1864 (talk) 11:27, 10 March 2009 (UTC)

Marc, I think you've misunderstood the purpose of wikipedia. We are creating an encyclopedia and have little interest in 'getting it right' in the sense of some absolute truth and more interest in 'getting it right' in terms of verifiable facts (the emphasis is on 'verifiable'). That, along with no original research and neutral point of view, is essential reading for anyone who wants to contribute to wikipedia. --RegentsPark (Maida Hill Tunnel) 15:25, 10 March 2009 (UTC)

The word FACTS and VERIFIABLE implies GETTING IT RIGHT. How do you verify something if you eliminate those who know what they are doing. Marcperkel (talk) 02:33, 12 March 2009 (UTC)

Verifiable amounts to All quotations and any material challenged or likely to be challenged must be attributed to a reliable, published source using an inline citation. No one is eliminating anyone. All you need to do is to find a reliable, published source that supports your point of view. Once again, I suggest you work with Wrs1854 collaboratively rather than view this as an 'all or nothing' confrontational situation. If you agree to do that, I'll unprotect the article. --RegentsPark (Maida Hill Tunnel) 02:14, 14 March 2009 (UTC)

Sorry - no agreement here. Reality matters. Expertise matters. I actually do this. I'm not just someone cherry picking quotes from other sources. You have the power to do what you want to do. But I'm not going to just agree to a process that I know is just plain dead wrong. I suggest that the Scientific Method is the best way to get it right. These are testable facts. Do the tests and I'll go along with whatever the results return. Marcperkel (talk) 04:31, 16 March 2009 (UTC)

That's too bad. But let me explain one last time: wikipedia is an encyclopedia. We don't investigate phenomena, we report the results of investigations that others have done where those investigations have been credibly peer reviewed. You seem to be unable to grasp this simple fact about wikipedia. (wrs1864, let me know when you are ready to make changes to the article and I'll unprotect it.)--RegentsPark (Maida Hill Tunnel) 17:38, 16 March 2009 (UTC)

Let me explain one more time. Accuracy matters. Getting it right matters. I'm a well known expert in the spam filtering industry and I'm especially well versed in callback verification. The question is if you are going to side with someone who is cherry picking articles that supports his agenda or someone who actually knows. Clearly you don't care about getting it right. It's lucky Einstein isn't with us because he wouldn't be able to write about relativity on Wikipedia. Marcperkel (talk) 03:22, 17 March 2009 (UTC)

Your Einstein example is a good one - and not just because of the irony in using Relativity to back up the Absolute :-) Of course Einstein would not write about relativity on wikipedia. He would write about it in an academic forum, the theory would be accepted as reasonable by the academic community, and then it would appear on wikipedia. Wikipedia is not the place for original research - whether the research is conducted by marcperkel or Albert Einstein. --RegentsPark (Maida Hill Tunnel) 11:50, 17 March 2009 (UTC)

(outdent) Marc, I'm really not sure how to help you here. Maybe your techniques in using callback really is great, but wikipedia is not the place to try to convince people. Consider, as Paul Graham has pointed out, he wasn't the first to try Bayesian spam filtering, but all the previous attempts failed because of poor implementations (such as, they ignored email headers). By presenting well reasoned arguments backed up by data to the appropriate forums, Paul Graham was able to convince a lot of people that Bayesian filtering was useful. I'm an expert in this field also, and you have completely failed to persuade me that you understand this subject clearly. It is possible that you and you alone knows The Facts, who sees Reality and knows The Truth. But, until then, I agree with User:Joy when he said above that "The information provided in the limitations section is true, informative, and relevant, and censoring it outright like that is against the policy.". Wrs1864 (talk) 11:30, 17 March 2009 (UTC)

One thing you can do is to quit deleting my work and replacing it with wrong information. I'm not exaggerating here when I say that I might be the foremost expert on how to correctly implement callback verification. About a month ago I sent you an email offering to filter your span for free. Did you get that email? If you do that you'll perhaps see some of the things I'm talking about. I suppose I should write my own article about callback verification on my own wiki so others have something to link to. Marcperkel (talk) 14:49, 17 March 2009 (UTC)

Yes, I saw your offer of a bribe to let you put inaccurate information into wikipedia, but I ignored it. I've seen you make similar offers on other places such as the linux kernel mailing list and saw you get flamed for spamming your services. As a result, I didn't see anything constructive coming from another person telling you to quit spamming. Accepting your offer of a bribe would make me into a meatpuppet for you and that could get me blocked from editing. Having seen more of how your run your filtering system, I would never ever consider letting you filter my email, if I was going to switch from running my own, I know plenty of competent ESPs to choose from. Wrs1864 (talk) 15:04, 17 March 2009 (UTC)

Wayne, trust me. I'm really NOT into making you my meat puppet. My offer is withdrawn. I will however make my offer available to anyone else who will act as a neutral third party. Marcperkel (talk) 06:44, 28 March 2009 (UTC)

Marcperkel, yes, please do write an article on your own wiki. Meanwhile, Wikipedia needs to be balanced; your expert status as an implementer of callout verification (COV) does not entitle you to squelch other viewpoints here. The section on limitations is highly useful, particularly since callout verification (COV) is—to say the least—controversial, and since using COV can seriously damage email deliverability for the using party (especially if their resources are limited). Hence, I consider it important that the limitations section remain. 85.156.227.198 (talk) 01:33, 22 June 2009 (UTC)

article modifications

I'd like to propose a few modifications to the article. As the protection box says, administrators can make these changes *IF* there is consensus.

First, I think we should go ahead and rename the "Limitations" section to be "Implementation issues". That seemed to have consensus from above.

Second, I keep forgetting to downcase "Sender Address Verification" in the lead. I think Marc fixed it once, but it got lost.

The third change hasn't been discussed, but I was reminded by John Levine's clarification of "callback" vs "call forward". In RFC 5321 section 7.3, it mentions that the "VRFY and EXPN are still useful for authenticated users and within an administrative domain.", and making a "call forward" is an example of such. I'm thinking it might be good to work in a reference into either the "call forward" part, or in the later when RFC 2505 is mentioned. Wrs1864 (talk) 13:37, 11 March 2009 (UTC)

We can make those changes if no one disagrees in the next day or so. Meanwhile, you might want to consider ways to shorten the 'Implementation issues' section. The length of that section is out of sync with the length of the article. --RegentsPark (Maida Hill Tunnel) 15:33, 11 March 2009 (UTC)

Some of the stuff that is now in the "limitations" section used to be in other sections. The whole article wasn't that well organized. It is possible that the best approach would be to split stuff out. For example, many of the "limitations" are really just more detailed steps in the process and might be best moved into the "process" section. (e.g. any of the items that mention "random email address" is really describing part of the process.) I always assumed that User:Joy just took the postfix documentation's "limtations" section and added a few things, so this long list organization is because it was easiest. Wrs1864 (talk) 18:25, 11 March 2009 (UTC)

No, I actually did not take the Postfix documentation but my own simple experience with Exim when I edited the "Drawbacks" section, as it was then named. I don't really see much of a problem with either title and I keep using this method myself. I removed the old tags from the article because they were contributing nothing. I left the one on top for now, but it also looks fairly pointless. --Joy [shallot] (talk) 10:34, 8 June 2010 (UTC)

Regent's Park: I noticed above you asked when I would be ready to modify this article. I am currently traveling and my time is limited. I've been pondering the best article structure to move the "limitations" which are really just steps in the process into the process section without turning it into a rambling mess. I do think I should point out, however, that I don't think the article is that bad right now. For example, if you took the referenced postfix doc, stripped out the "how to configure postfix" parts, along with the "call forward" parts, you end up with an article similar to this one: a short description, followed by a longer "limitations" section. As per WP:NPOV, the article structure and content does conform to the balance presented in the expert sources. Wrs1864 (talk) 11:11, 17 March 2009 (UTC)

Getting it correct matters

Some things have testable fact and some things are subjective. Some people are interested in getting it right. That there is an absoluter reality and that getting it right does matter. Some people here seem to imply that getting it right isn't as important as other processes. My position is that the issues in dispute are testable and the results are verifiable. If the limitation that are being proposed are actually real then I'll go along with anything that is proven. To me the only thing that matters is accuracy. Marcperkel (talk) 04:53, 16 March 2009 (UTC)

I'm sure any of the users here will go along with anything that is proven. However, it must, indeed, be proven. "I said so and I know things" isn't proof. "Here's a newspaper, academic journal, or book that said so" generally is. Stifle (talk) 19:26, 29 March 2009 (UTC)

Duplicate article

Shouldn't this article be combined with the SAV article (SAV, CBV and challenge-response all refer to the same technique): Sender_Address_Verification 208.240.243.170 (talk) 00:37, 17 November 2009 (UTC)

Callback verification (dial-up modem)

I notice there is no mention on this page of the original form of "callback verification". In the days before call display and broadband Internet it was not uncommon for an individual microcomputer to be installed on a dial-up line and auto-answer modem as a server, often as part of a self-contained computer bulletin board system. One technique widely tried as a means to prevent duplicate or abusive registrations was to have an auto-dial modem place a call back to the end user, who would then be asked to confirm the registration request. The system was subject to some level of abuse (as it could be used to place "verification" calls to unsuspecting third parties), although certain key local numbers were carefully excluded by configuration (cops, fire, pizza...) so that calls couldn't be placed to emergency or premium numbers; there were also normally time-based restrictions to disable new callback registrations in the middle of the night. Largely obsolete once calling number display systems were deployed and the ability to decode caller ID found its way into modems; likely more of a risk of abuse than any real benefit were this used as the sole verification step today. Nonetheless, these should be noted briefly for historical completeness? --66.102.80.212 (talk) 23:11, 21 June 2010 (UTC)

Auto Archiving

Since this talkpage is around 97 kb should it be archived? Adamdaley (talk) 07:56, 25 July 2010 (UTC)

It wouldn't need to be archived if this talk page wasn't used as a forum to debate a topic. I was going to archive it but what's the point since the only thing being archived is a forum. Woods01 (talk) 01:51, 17 January 2011 (UTC)

External links modified

Hello fellow Wikipedians,

I have just modified one external link on Callback verification. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive https://web.archive.org/web/20080405231748/http://spamlinks.net/prevent-secure-backscatter.htm to http://spamlinks.net/prevent-secure-backscatter.htm

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 09:52, 29 July 2017 (UTC)