Autor: Ian Eiloart Datum: To: Renaud Allard, David Saez Padros CC: exim users Betreff: Re: [exim] UCEPROTECT Blacklists and why callouts are abusive
--On 18 October 2006 10:46:49 +0200 Renaud Allard <renaud@???>
wrote:
>
> Indeed, but, as mentioned before, some will argue that if the spf is
> false you have no right to use their resources to verify things as it is
> probably a spam. And if spf != pass && spf != false (IE: not defined)
> you still have no right to do a callout as you could be a player in a
> ddos.
If a spammer has registered a domain, and is using that domain for sender
addresses, then there are a few possibilities:
1. They provide accurate MX records pointing to a host that they have
access to. In this case, callouts aren't going to hurt anyone - except
perhaps other users of that host.
2. They provide fake MX records, pointing to some other SMTP host. In this
case, the old arguments apply - the callouts will block spam, at some cost
to the host's owner, but at less cost than bouncing messages. Marc Perkel's
idea about rate limiting callouts per domain could be useful here.
3. They provide fake MX records, pointing to a host that is NOT an SMTP
host. In this case - I think - Exim will cache the connection failures for
the domain, and all the spam directed at a particular host will be blocked
at the cost of a single dropped connection per
callout_domain_negative_expire (which defaults to 3 hours). At least, I
think that's true. Section 39.34 says this is true of rejects before RCPT
TO, but doesn't say what happens when the connection fails.