On Thu, 2004-07-15 at 08:50, Alan J. Flavell wrote:
> One way of cutting down on callout attempts is - if you know what the
> genuine outbound MTAs are for a given domain, then you only try a
> callout when the envelope-sender is presented from a *different* MTA.
So, with SPF:
deny
message = The sender address <$sender_address> does not seem to be \
valid, and SPF iformation does not grant $sender_host_address \
blanked authority to send mail from $sender_address_domain.
log_message = SPF + sender callout failed.
!spf = pass
!verify = sender/callout,random
> Sorry, I've rambled on a bit there. Callouts are contentious and can
> be troublesome. There are folks who think they're at least
> discourteous, if not downright abusive. In the long term it's kind of
> obvious that if the use of callout became widespread, spammers would
> simply move over to faking real addresses, or faking addresses on
> domains where callout doesn't work.
If the domain in the sender address signs their outgoing envelope sender
addresses, they have an opportunity to certify not only the validity,
but the authenticity of the sender. I wish every site would do callouts
if *my* address appeared as the sender of a mail.
-tor