RE: [Exim] Re: Exim auth query

On Thu, 12 Feb 2004, Ted Cooper wrote:

> > rfc1413_query_timeout = 0s
>
> Leaving it on 30s means that anyone who has a broken MTA (err..
> Spammers) that doesn't wait for the greeting gets knocked back before
> thay even start which I see as a "A Good Thing".

It also makes life difficult for those of us who would like to verify
addresses via callout. (Cue routine raspberries from the gallery who
think that doing such a thing is broken anyway...)

If you want to insert a delay somewhere, maybe it would be better done
at some point *after* checking that the sender is going to specify a
non-null envelope sender (MAIL FROM).

> It's one of the reasons I use Exim - you can make it as pedantic as
> you want to stop the 99% of spammers that do _something_ wrong when
> trying to send emails.

Sure: if certain conditions are fulfilled which suggest the calling IP
might not be a bona fide MTA, then they get a delay from us which is
> 60s but < 5mins - and it's reasonably efficacious - but that's at
the RCPT TO stage, after we've seen the MAIL FROM.

> Oops, /rant. Ident checking is good!

At one time, ident was picking out a humungous number of leaky squids
(ooh-er, Missus) and "CacheFlow Server"s for us, but, over the last 10
weeks' logs, this has reduced to a grand total of a mere 250-ish
CacheFlow instances, and 95 squid instances. So it's not useless, but
we have the timeout set at 7 seconds, and that seems to work fine for
us. We definitely felt that 30s would be overdoing it.

The change seems to be because there are now some effective blacklists
for open proxies, whereas there weren't at the time we started
checking the ident for those particular tell-tales.

hope this helps