Author: James P. Roberts Date: To: Kevin Sindhu, Suresh Ramasubramanian, exim-users Subject: Re: [Exim] Fw: for Kevin Sindhu
Kevin:
My apologies for interjecting into this discussion. It sounds as though
you have set up your SA to score points against any email that
"originates" from a blacklisted host (which is going to include most
ADSL and Cable users, who are assigned dynamic IPs from blocks of IPs
that are frequently found on DNS blocking lists). Now, most of those
users are assigned a smarthost SMTP server to relay their emails
through. The only reason to block their emails as spam, might be if
they are running an actual MTA on that dynamic IP, instead connecting to
their ISP's smarthost with an ordinary MUA. Right? If you disagree
with this, then you are going to be blocking a large, and growing, set
of innocent internet users.
I think the point is, it does not make sense to test on recieved
headers. For one, they are readily falsified. For another, only the
most recent one should have any bearing with respect to DNS blocking
lists (and I would argue it has NONE, since if it doesn't match the host
actually contacting you, then it is probably a forged header anyway, or
perhaps the recieving MTA is adding it incorrectly. One of those). The
whole idea of DNS lists, as I understand it, is to list open-relays
and/or other known sources of spam. So long as the host actually
contacting your SMTP service is not blacklisted, it would be reasonable
to presume that it is NOT an open relay, and that any "originating" host
(as you put it) was actually authenticated to be permitted to relay
through it. By this argument alone, it makes no sense to test on
recieved headers.
If your scheme were wide-spread, it would, in self-defense, become
necessary to strip all received headers from any mail that goes through
our servers, so that our own customers, who may use ANY ISP to access
the internet, will be able to send their emails, properly authenticated,
through our servers, without having to worry about such over-zealous use
of DNSBLs. I would submit that this would be a "bad thing" (the
stripping of headers, that is).
I must side with the Suresh and others, who think that using DNSBL tests
on recieved headers is just a bad idea. The way internet access works
these days just doesn't lend itself to such tactics. It falls in the
category of "throwing the baby out with the bath water."