Re: [exim] Default enabling of dnsdb

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim-users
Subject: Re: [exim] Default enabling of dnsdb
Phil Pennock wrote:
> On 2009-05-06 at 09:27 +0100, Mike Cardwell wrote:
>> Quite a lot of domains have an SPF record of "v=spf1 -all". I never
>> found out *why* this is the case, but it is.
>
> I have the domains: globnix.org globnix.net globnix.com
>
> The first two are in active use. The third is not used for sending mail
> and mostly is a placeholder, which makes it rather convenient for
> various tests, where I need a real registered domain.
>
> globnix.com never sends mail.



Differnt <domain>.<tld> here, but we are much on the 'same wavelength'
so far...

> .. I used to get joe-job backscatter for it.
> Between DomainKeys and the SPF "v=spf1 -all" I no longer get joe-job
> backscatter for it.


Without either, I get JJB almost never... as in the odd sngleton
response to a forgery about 2 or 3 times a year.

Now - it may be because only a few such are not themselves forgeries of
bounces of forgeries...

IOW - if I accepted traffic less cuatously, I might see more.

>
> There are many issues with SPF and how it relates to forwarding, but if
> a domain never sends mail in the first place, then there's no mail to
> forward and it's safe to publish SPF records for that domain.
>


I find it easier to not run anything on port 25, and not publish MX or
PTR for that IP. ELSE point at least MX to another server I DO run an
MTA on. But that's not a biggie either way...

> More, it's polite to publish such an SPF record for that sort of domain,
> letting others have a lightweight check to reject inbound spam.
>
> Regards,
> -Phil
>


Can't disagree with the 'polite' part, either, but ...

Here's why I asked:

- IF I were to receive incoming purporting to be from, using your
example, globnix.com AND the rDNS passed muster, I'd presume you
intended to send, and - while making other tests - not have a care as to
the presence, let alone 'nuances' of an spf record.

Simply put, it tells me nothing any more useful than what is already in
front of me.


- IF, OTOH, said arrival was a forgery, I'd not need to look at an spf
record to determine that, either.

Ergo, if I were to recompile with DNSDB (prerequisite), and insert the
code for that test ..

... it would be most unlikely to ever 'trigger'.

- A 'legit' message would live or die on the credentials of the sending
servrr, (rDNS, FQDN in HELO, correct format and MIME-type usage), AND
NOT ClamAV or SA finding malware or unwanted content/attachments.

- A forgery would not make it past acl_smtp_connect.

That said, the code *could* be 'traversed' even if not triggered.

And there is my real objection..

Are you making this sort of callout / DNSDB lookup on all - or even a
large percentage of traffic transiting?

Surely the percentage of arrivals that might have usable information
must be small?

Very small...

Bill