Auteur: W B Hacker Date: À: exim users Sujet: Re: [exim] unblocking gmail
Randy Bush wrote: >> A caller that *survives* forward/reverse DNS lookup
>
> i can't do that. too many strange list subscribers from places that do
> not do much dns. too many users from strange places that do not do much
> dns.
>
Well - that's how and why *we* (mailadmins) have made the entire
zombiefied WinBox hundred-thousand-plus-unit 'farm' phenomenon possible.
If you can not - or WILL NOT - use the tools the RFC provides to
separate 'early' and cheaply on clearly improper behaviour, then you
will just have to suffer the resource cost of trying to separate on
content analysis.
It is far harder to get that right.
Zombastards are expert at throwing in just the sort of gratuitous fluff
that pases automated scanning and suborns - even poisons - sophisticated
Bayesian filters.
Most filtering needs extensive string parsing and pattern seeking and
matching - done quite well in interpreted languages such as perl - but
never at a low-resource cost.
>> If you want 'immediate' onpassing, you'll need something like lookups
>> against /var/mail/IP-pass or /var/mail/VIP lists,
>
> i got into this because one can not maintain good ip lists because goog,
> yahoo, et alia keep adding servers but not putting them in places such
> as dnswl.org.
>
> randt
>
It is not hard to manually track down a handful of the 'majors' with
'whois', 'dig @' and 'host -v'.
OTOH - there is ordinarily little need to give them special entries.
Even MSN/Hotmail finally cleaned up its act some years ago - ONE server
persisted in trying pipelining when told it was not on offer.
One server out of PCCW's 'Netvigator' outbound pool is configured
differently (and wrongly) from all the others.
NetSol has been the last major irritant here. Ironic that the folks
chartered to - among other things - operate the 'a' root-servers, should
be so careless w/r their own mailserver DNS & HELO.
YMMV, but denying those who look, act, taste, and smell like zombots is
the only way the 'real' folks among them will *ever* see the need to
mend their ways, use the 'smarthost' their connectivity ISP has
provided, or register themselves a PTR RR on fixed-IP if they 'must'
operate their own public-facing MTA.
GMail, BTW, has hardly ever put a foot wrong by our lights, so - back to
the door you entered by - we've no real need to handle them differently
at all. Those who would attempt Gmail forgery have already been tagged
for one or more 'capital offences' so to speak.