Auteur: Jethro R Binks Date: À: exim-users Sujet: Re: [exim] Sender verify at extreme
I am somewhat near the fence on this issue, so I err on the side of
caution and do not do callouts to arbitrary domains. I can see both
points of view: I can see the value of callouts and the benefits to the
would-be recipient, but I also see the damage that can be done to the
sender domain whose address is forged. Nevertheless:
On Fri, 6 Jul 2007, Marcin Krol wrote:
> The main reason we use sender verify with callouts is that it eliminates
> a huge amount of spam, and what can be more abusive than spam (incl.
> e-mail phishing and frauds)?
But the cost is borne by those sender domains, requiring resources to deal
with your callout.
> I work at hosting company, and not only I don't mind e-mail addresses at
> our site being verified by call-outs, but in fact I would welcome more
> of them: this reduces the chance that spammer or other fraudster sending
> mail that has domain of one of my users in the SMTP envelope to the
> server that uses sender verify w/callouts.
>
> More than once I had bad blood caused between link providers, customers
> who aren't experts at issues of combined e-mail/DNS/online fraud areas
> (they think that sender address on envelope in e-mail actually means
> something) and our company because some spammer or fraudster used e-mail
> address belonging to one of our customers to send spam or fraud. Had the
> servers that were spamming target used callouts to MX for that customer,
> that spamming wouldn't have happened, and we would be very happy to be
> "burdened" with that miniscule cost of verifying e-mail addresses of our
> customers at our hosts.
There is already an SMTP verb for such activities: VRFY. It is normally
disabled.
That being the case, using RCPT to perform the same function (check an
address) seems to be working around a deliberate decision of the operator
of that system, so you can see how it is considered abusive.
Let those who want to allow 'callouts' to work enable VRFY and encourage
others to use that. Let those who don't want callouts keep VRFY disabled
and not have to tolerate subversion of RCPT.
It has often been observed that people's position on this matter
changes once it is their own domain which gets forged as a sender in a
million-spam run, and they have to deal with the callouts ...
Jethro.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK