Re: [exim] Sender verification

On Thu, 27 Oct 2005, Ian FREISLICH wrote:

> FWIW (if you want this for an anti spam measure) I've decided that
> callouts are evil.

Performing callouts "as a matter of course" probably -is- rateable as
"evil". I think it's fair to say that selective use can be the least
of many evils, though.

> There are loads of domains that you will need
> to make 2 callouts because they refuse mail from <>.

Oh no: if they are found to refuse mail from <>, which they're not
really supposed to do, then we have a simple checklist:

1. Do we have a compelling business case to want to hear from them?
Then don't do callouts on that domain.

2. We conclude that they don't participate properly in email, so we
don't want to hear from them. Implement the <> callout, and let them
block their own mail until they learn better. (As you see, this
repairs itself automatically as soon as they start accepting bounces,
without any extra work on our part).

There are, I should say, only a handful of domains which passed-out at
the first checklist point.

> I couldn't be bothered in the end to actively maintain a whitelist
> and dropping the callout did not affect my incoming spam rate.

It stops quite a number of spams for us, from offering MTAs for which
we'd have no other reason to refuse the item *without* the overhead
of spamassassin rating - which means it's a net benefit to us.

I'm keenly aware that when the presented envelope-sender is a fake, it
means we're using a (small amount per transaction of) some innocent
third-party's resources in order to keep the spam out. That isn't
nice, really (as Suresh emphasised on this list in the past); but, as
I say, it seems to me that if it's done selectively, it's not too
harmful overall. And in many cases the faked sender is fixed, so,
after being tried and repudiated once, the answer gets cached, and
repeat offerings of spam are refused "for free", without bothering the
innocent third party.

regards