Hi Ramon,
on Tue, Sep 23, 2008 at 11:45:41PM +0200, you wrote:
> I would recommend not to implement such a tool.
> 
> 1) I wouldn't send you mail anymore if you made me jump through hoops to
> confirm that me is actually I.
> 2) I personally think it's a stupid way of dealing with the problem
> 3) I can't see any way to get them to work with lists

I agree that this is not a good solution, however there is a pretty
simple rule that would make any such autoresponding tool work with
mailing lists: just don't reply to anything with a "Precedence: bulk"
header. Of course while that's a failsafe way for out-of-office
programs, you'd need to effectively whitelist bulk mails, giving
spammers the possibility of bypassing your filter. They're not very
likely to do that but it's a small part of why this "solution" is
bad.
Once in a while we come across a customer with such a system at work
(ISP abuse dept.), and it's usually not very nice. Our ticket system
sends some notification (like "You've probably been hacked/have a
trojan, check this and that"), the autoresponder comes back with "please
confirm your mail by doing XY") which a) pisses off the operator because
they have to manually check the ticket and b) probably doesn't work
anyway because that the ticket system (having an automatically-set
subject and stuff like that) can't do it anyway. So the account will
likely be locked and we just wait for the customer to call.
What you can easily do, in order of personal (well, I don't run my own
mail server any more) preference:
- block dialup ranges
- use IP blacklists like SORBS
- use SpamAssassin, possibly with more blacklists like SURBL
- check DomainKeys and/or SPF headers for scoring
- use greylisting

cheers,
	Matthias
-- 
I prefer encrypted and signed messages. KeyID: FAC37665
Fingerprint: 8C16 3F0A A6FC DF0D 19B0  8DEF 48D9 1700 FAC3 7665