Re: [exim] Sender verification

Pàgina inicial
Aquest missatge és part del següent fil:
M\l'arbre de fils complet ordenat per data
MMIan FREISLICH en <-
MMIan FREISLICH en ->
Delete this message
Reply to this message
Autor: Alan J. Flavell
Data:  
A: Exim users list
Assumpte: Re: [exim] Sender verification
On Fri, 28 Oct 2005, Ian FREISLICH wrote:

> Ah, you folk in acedemia might not then have encountered the argument
> from a paying customer "I don't care if the admin of the site hosting
> my prospective customer is a fool, your decision to not accept their
> mail on the basis of the failed callout is costing me potential
> business".

Since you can't reliably tell the difference between a spammer, and a
misconfigured but otherwise bona fide sender, you'd have to accept
everything that was offered, and leave it to the recipient to decide.

Our users would not tolerate that - they are overwhelmingly supportive
of our anti-spam efforts - I'd go further, they positively *demand* it
of us; the number of complaints received from our own users about
rejection of bona fide mail offers is very small, and usually the
explanations we give them are well-received.

The most recent complaints that I can recall, on the other hand, from
would-be senders themselves were, in fact, people presenting their own
*.gov sender addresses but trying to send direct-to-MX mail from their
US domestic DSL accounts. I don't know about you, but when presented
with such a scenario I would definitely "smell a rat".

> And that is a nice intellectualisation.
[...]

> What I don't get is why you (and many others) think it's OK to:
> 1. Steal resources.

Because we play our own part in responding to callouts when our own
domains are faked as senders by the spammers (which they heavily are)?

> 2. Participate in a DDoS attack (of innocents to boot).

I must stress that callout is pretty much a last-resort in the RCPT
ACL. There are plenty of earlier opportunities for us to reject a
RCPT offer without bothering a third party in that way.

While it's possible to devise the kind of DDoS scenario that you
mention, we have a number of countermeasures which I suspect would be
more likely to make our own server unresponsive (with the max number
of exim processes having rejected abusive requests and then applying a
time delay) before we'd managed to DoS anyone else.

And callout certainly is not our default - it's only used in selected
circumstances.

But yes, your point is taken, and if you are opposed *in principle* to
this approach then I appreciate that there is nothing I can say that
will satisfy you.

regards


Aquest missatge es va enviar a les següents llistes de correu:
Exim-users
Informació sobre la llista de correu | Missatges propers		<-Re: [exim] Sender verificationRe: [exim] Spam block idea:->
Tahini and Hummus and Cumin Development Archives administrat per cumin AdminsLurker (versió 2.3)