Scott Bryce wrote:

> Tim Greer wrote:
>> The chances of a spammer sending a forged from address with your
>> domain/sender address to someone that's legitimately on your mailing
>> list that pays to use your site/services, is quite unlikely.
>
>
> I checked. The recipient isn't in my database. But I shouldn't have to
> check. Spam blocker software should at least let me know what the
> subject of the original email was.

I see, I thought you were saying they were in your database. I'd
implement something that can auto-cross check that. I agree that you
shouldn't have to check and that the anti-spam software should provide
at least a header, but it's pretty uncommon (other than from mailing
lists -- I understand that is the problem though) to have to
bounce/auto-reply with the message to verify, since most people email
directly and those are the people they usually count on seeing the
message, those people knowing they emailed them.

I think some anti-spam verification software like this will not auto
respond back with the subject, let alone the body, because then people
would get getting back scatter spam, where they actually spam people in
the bounce/auto-reply (even a subject could contain everything a
spammer needs some sucker to see). If that happened, then the person
that had the anti-spam "verify you're real" system, would be reported
(legitimately) as the spam source. I assume this is why it doesn't
include anything from the original email.

There's no good way around it, and it's not even good to force people to
verify (after all, you were a victim of the non-spam content back
scatter, because their system blindly assumed you were the sender or
just didn't care if you were or not). I would conclude their system on
their end, is poor. For that reason, as well as for the reason you've
outlined (not giving you any indication that you were the one that
actually emailed them -- from your mailing list).

Obviously, it's intended and usually works for the sake of someone
almost always knows who they've emailed, so there's no debate about if
you sent it and need (or want) to verify you are real. So, I'd only
suggest some method to cross check, since you ultimately should know as
well (and it can save some hassle), even if it is a mailing list. I
don't pretend their system is not working with broken logic though, but
that's the only suggestion I can conceive at this point, and having
more time I'd put more thought into it. I think that's pretty much it
though.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!