Author: Alan J. Flavell Date: To: Exim users list Subject: Re: [Exim] Using ACLs to verify RCPT TO
On Thu, 1 Jan 2004, Tim Jackson wrote:
> Hi Tony, on Thu, 01 Jan 2004 15:33:18 +0000 you wrote:
>
> > It's a very bad idea to accept email for invalid addresses,
Right. If I refuse to accept their mail on the grounds that they're
blacklisted, the mail has still been refused.
> I think what Alan was getting at was not that it's good to accept
> invalid addresses, but rather to check DNSBLs *before* checking the
> recipient validity (rather than the other way round, as was
> suggested), on the basis that it prevents spammers who are listed in
> a blacklist from checking lists of users.
Just so.
> I've pondered the two options myself, and have never really decided the
> best course: checking the DNS lists first may obviously cause some extra
> load (depending on the relative 'cost' of a DNS/blacklist lookup as
> opposed to a local recipient lookup on your system).
This is true. However, it seems to me that this is a relatively small
overhead compared to spam-rating, which we're doing (for mail that
manages to get past any earlier ACL conditions). So, if we were
running out of resources, I wouldn't see the elimination of DNSRBL
lookups as being our first priority. My own first priority would be
to look for additional inexpensive ways of rejecting spam before it
gets as far as the spamassassin checks. And/or throwing some more
processor resources at the problem, obviously.
> But on the other hand it does prevent known spammers doing
> dictionary-list lookups and getting useful results.
To be honest, I don't have any idea what proportion of dictionary-type
attacks are paying any attention to the results that they get. But
whatever that proportion is, I'm reluctant to play the game by their
rules.
