Peter Bowyer wrote:
> On 29/03/07, Renaud Allard <renaud@???> wrote:
>> This already works quite well without that much hassle:
>> deny
>> message = Faked paypal.com.
>> log_message = Fake paypal
>> senders = *@paypal.com
>> condition = ${if match
>> {$sender_host_name}{\Npaypal.com$\N}{no}{yes}}
>
> OK, but it will break when PayPal make network changes, forget to set
> up rDNS for a while, etc etc etc.... since they take the trouble to
> sign with DK, and publish SPF, why not use one of those
> standards-based mechanisms, that will scale to any other participating
> domain without you needing your own knowledge of their network?
>
The thing is, any of these methods (including mine of course) require
you to make a rule for each single domain, which is quite a hassle anyway.
I cannot deny all mails that don't have DK. I also cannot deny all mails
that fail SPF (citrix being the most notable I have seen having wrongly
configured SPF). Also because some people may add servers and forget to
put them in SPF or put them in prod while DNS cache is still active on
some DNS. And I have to know what their rdns are to use the rules I
posted. So none of these are totally safe and all require a particular
configuration.