Author: Giuliano Gavazzi Date: To: Tim Jackson, exim-users Subject: Re: [Exim] Using ACLs to verify RCPT TO
At 3:42 pm +0000 2004/01/01, Tim Jackson wrote: >I think what Alan was getting at was not that it's good to accept invalid
>addresses, but rather to check DNSBLs *before* checking the recipient
>validity (rather than the other way round, as was suggested), on the basis
>that it prevents spammers who are listed in a blacklist from checking
>lists of users.
of course this is what he meant. But...
>I've pondered the two options myself, and have never really decided the
>best course: checking the DNS lists first may obviously cause some extra
>load (depending on the relative 'cost' of a DNS/blacklist lookup as
>opposed to a local recipient lookup on your system). But on the other hand
>it does prevent known spammers doing dictionary-list lookups and getting
>useful results.
Well, there are other ways to stop dictionary attacks and there is no
connection between RBLs checks and stopping dictionary attacks. So,
checking RBLs before recipient address is not going to protect you
from dictionary attacks in general (I know you said "known spammers").
Actually, I could even say that it makes no difference if you do your
RBLs afterwards, as long as the spammer does not check the content of
the error. This is obvious: if it is in an RBL then it will be
rejected one way or another, existing user or not.
So, always check the local recipient first.