Re: [exim] UCEPROTECT Blacklists and why callouts are abusiv…

Top Page
Delete this message
Reply to this message
Author: Stuart Gall
Date:  
To: Dean Brooks
CC: exim-users
New-Topics: [exim] Hotel SMTP proxies etc Re: UCEPROTECT Blacklists and why callouts are abusive
Subject: Re: [exim] UCEPROTECT Blacklists and why callouts are abusive

On 18 Oct 2006, at 03:30, Dean Brooks wrote:

> On Wed, Oct 18, 2006 at 12:15:36AM +0100, Andrew - Supernews wrote:
>>>>>>> "Renaud" == Renaud Allard <renaud@???> writes:
>>
>> Renaud> In a perfect world we would need neither callouts neither
>> Renaud> blacklists as people wouldn't send spam in the first
>> Renaud> place. But we are not in a perfect world.
>>
>> Trying to block spam by using other people's resources without
>> permission is just as bad as sending spam.
>
> Just throwing in my opinion here, but I totally agree with Andrew on
> this one. Sender verification callouts without first ensuring the
> sender is sourcing from an authorized host (via SPF or other means) is
> essentially as bad as spamming. Those callouts are using resources
> that provide no benefit to the owner of the resources being used.


SPF is fairly useless, most companies will have employees traveling
and using different SMTP servers. I use smtp auth for all my clients
but even then I have come across hotels that have installed
transparent SMTP proxies and so the user has to turn smtp auth off
and use the hotels SMTP server.

>
> Anyone who has run a very active mail server will tell you that
> callouts can use *enormous* amounts of resources if amplified
> appropriately. Denial of service would be very easy with only a few
> sites doing callbacks and an agressive forger. The only reason this
> doesn't happen more often is very few sites use callouts (thankfully).


How do you know how much of this was callouts and how much was
attempted DSN's ?
So definitely failure to reject on virus, attachment, spam, user or
whatever at SMTP time is much worse than doing callouts - right
(hypothetically coz I do all this at SMTP) I am perfectly within my
rights to bounce a message back to the envelope sender address for
what ever local policy it violates also if it is refused normally I
would do at least 1 or 2 more retries with auto_thaw. This is
perfectly acceptable yet it causes more bandwidth usage than callouts

A callout is what 100 bytes ?
Nowadays using images to avoid pattern matches your average spam is
maybe 5k
So there is really no comparison on the "badness"

HOW ABOUT ...... a public callout cache ?


>
> People who use callouts should not complain if they end up getting
> blocked. If you use my server resources in a transaction where our
> organization or our customers receive no benefit, then you are
> commiting essentially the same ethical (if not legal) crime as a
> spammer.
>
> The opinions of callouts will vary widely, I'm sure, but I think
> you'll
> find a less favorable opinion from admins who run ISP or large
> corporate
> mail servers.
>
> --
> Dean Brooks
> dean@???
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>