Autor: Marc Sherman Data: A: Marilyn Davis CC: exim-users Assumpte: Re: [exim] Heads up?
Marilyn Davis wrote: >
> Thank you. But that's not quite my question. You say "The challenge
> *is* sent ..." I think you mean that that's how the current C/R
> systems work. I agree that the ones I've experienced are faulty.
>
> I'm talking hypothetically here, trying to wrap my mind around the
> possibilities.
>
> *If* the challenge was sent back at smtp time in the acl_smtp_data,
> wouldn't that be an improvement?
How do you propose to do that? With a 550 response, with the challenge
info embedded in the reason text? That would be much more difficult for
the original sender to reply to -- at least TDMA-type solutions set
Reply-To: so the sender just has to reply to the challenge mail. You'd
likely see many more desireable mails lost if you make it more difficult
for a valid sender to respond to the challenge. The average user is
likely to see a 550-bounce from their SMTP server, assume your account
is hosed or their address book is incorrect, and never even read the
text you embed in the reason string.
[Fred Vile's reply just arrived, and he and I appear to be thinking with
one mind here.]
If, on the other hand, you use a 450 for the challenge, well, you've
just rediscovered graylisting. That's another one of those
not-quite-universally-appreciated anti-spam measures, but I'll take
graylisting over c/r any day of the week.
>>1) Bogus return address: the challenge gets rejected at SMTP time, the
>>original message is blackholed, no-one is annoyed. This is the same way
>>that sender callout verification works.
>
>
> Or the header_sender verification is even closer. But my
> understanding is that this cannot check the local_part?