Re: [exim] Ultimate spam defense - check for the sender MX r…

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Renaud Allard
Data:  
Para: Peter Bowyer
CC: Exim, Users
Asunto: Re: [exim] Ultimate spam defense - check for the sender MX record


Peter Bowyer wrote:
> On 27/12/06, Ian Eiloart <iane@???> wrote:
>>
>> --On 27 December 2006 10:25:20 +0100 Renaud Allard <renaud@???>
>> wrote:
>>
>>>
>>> Craig Whitmore wrote:
>>>>>> I would like to increase a spam defense of our server by checking if a
>>>>>> sender really represents an MX server of his/her organization. So if a
>>>>>> certain PC is trying to send me an e-mail from user@??? then we
>>>>>> will check if this person's IP address is within MX servers of
>>>>>> domain.com, otherwise we'll refuse to accept the mail.
>>>>>>
>>>>>> Is it feasible? How can I achieve this?
>>>>>>
>>>> If a domain has set up SPF or SenderID records then you can use those so
>>>> make sure the emails are coming from the correct places.
>>>>
>>>
>>> Unfortunately, many sites who have implemented SPF have implemented them
>>> incorrectly.
>>> Here is a very good example:
>>> /var/log/exim4/rejectlog.13.gz:2006-12-14 15:51:53 H=host60.citrix.com
>>> (FTLPEXCHSMTP01.citrite.net) [66.165.176.60]
>>> F=<citrix_license@???> rejected RCPT <sorryfor@obfuscation>: SPF
>>> check failed.
>>>
>>> If you strictly check SPF, you will reject good mails because many sites
>>> administrators just forget they have servers sending mails from web
>>> interfaces or in an automated way.
>> Rejecting their emails should be an efficient way of concentrating their
>> minds on fixing the problem.
>
> I couldn't agree more - if they've left something out of their SPF
> policy, they should fix it - and if they don't get any pain, they
> won't.
>


Indeed, but in this case, the one being really hurt was my client which
didn't receive his licenses. Trying to explain commercial people (the
ones you get on the phone when calling for a license delivery problem)
that their mail containing the licenses was being refused by our server
because something was wrong in their DNS is like the quest of the grail.