Re: [Exim] Sender verification...

Top Pagina
Delete this message
Reply to this message
Auteur: Alan J. Flavell
Datum:  
Aan: Toralf Lund
CC: Exim users list
Onderwerp: Re: [Exim] Sender verification...
On Mon, 23 Sep 2002, Toralf Lund wrote:

> I have noticed that a large proportion of all the spam messages we are
> getting have an invalid sender address, so I've considered enabling the
> sender address verification of Exim. It does, however, seem a bit drastic
> to plainly reject all messages that can't be verified.


There's a relatively short list of domains which cover the majority of
counterfeited sender addresses, in our experience.

For us, this includes our own domains (they like to counterfeit
addresses like 1234567@???), and the usual repertoire
of throwaway domains (yahoo.*, hotmail.com, etc.).

Let's look at what we do for the domains which aren't our own. So
(assuming exim v4) a stanza in "configure" like this could be useful

  deny    hosts = *
          sender_domains = partial-dbm;CONFIG_DIR/callback_domains.db
         !verify = sender/callout


with the .db containing your choice of domains to check.

However, this also means you would be verifying the envelope sender
even of mails coming from the outgoing MTAs which serve the actual
domain.

You might prefer some stanzas like

   deny hosts = !*.domain.example
        sender_domains = domain.example
        !verify = sender/callout


for some of the most-frequently-counterfeited domains, so as to avoid
callbacks when the mail comes directly from the domain? (That's
assuming of course that the outgoing MTAs for @domain.example will
look-up as DNS host names *.domain.example - adjust that according to
situation!). By the way - yes, this _does_ rely on DNS lookups for
the calling host, but it hardly seems practical to keep track of all
the MTA IP addresses for a given email domain such as hotmail or msn.


Before you add a domain to your callback .db it's advisable to make a
few tests to see that it really _is_ willing to repudiate invalid
addresses at RCPT TO time. For those which refuse MAIL FROM:<>
altogether, you have to set your own policy.

We have a stanza

  deny    sender_domains = partial-dbm;CONFIG_DIR/unreach_domains.db
          message = We are currently unable to accept mail from \
          $sender_address_domain\n\
          because that mail domain is persistently unreachable or not\n\
          responding properly, for reasons that are outside our control.\n\
          We do not know if/when the problem will be resolved, but you\n\
          could try again in a few days, or if the matter is urgent\n\
          then contact postmaster@???


into which we put email domains which are persistently unreachable or
which respond in defective ways. A few of those were put in because
they reject MAIL FROM:<> and don't seem to us to be a potential source
of productive mail.

good luck