Autor: Peter Bowyer Data: A: exim users Assumpte: Re: [exim] Sender callout verification with warning only
On 06/07/07, Toralf Lund <toralf@???> wrote: >
> >
> > Do you realise that callouts are considered abusive in anti-spam circles and
> > are often used in certain forms of ddos attacks ? Some major mail servers
> > even BLOCK based on the number of callouts they receive from a given IP.
> > Something like 80% of emails are spam, so 80% of your callouts are being
> > directed at totally innocent machines. Challenge response methods should be
> > considered in the same way.
> >
> I tend to consider them as a way of reducing spam, and everything that
> does is for the Greater Good, IMO. Also, I'm quite happy to receive this
> kind of requests at our server, so I'll happily use them myself -
> according to some principle we read in some holy book or the other at
> school...
You'll need to be careful about who you send callouts too, then. As
Phil says, the view that 'all callouts are abuse' has some vociferous
supporters. At the very least I suggest the following:
- maintain a list of domains you never call out to
- do as much envelope-checking as you can before triggering a callout
(DNSBLs, verify=sender, SPF pass, HELO sanity)
- expect to be listed by some agressive DNSBLs
- don't go near SPAM-L
Personally, I'd rather receive sender verification callouts than
backscatter. But that view doesn't always scale.
