Re: [exim] Sender callout verification on BATV signed addres…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Ian Eiloart
Dátum:  
Címzett: Richard Salts, exim-users
Tárgy: Re: [exim] Sender callout verification on BATV signed addresses


--On 14 May 2009 11:20:31 +1000 Richard Salts <exim@???> wrote:

> On Wed, 22 Apr 2009 06:09:13 Bryan Rawlins wrote:
>> So my question is, and I'm strictly looking for personal opinions here;
>> Are callout/callback verifications on the envelope sender when that
>> sender is signed more acceptable than just doing them in general?


If people don't want callback verifications to their sites in response to
spoofed email, then they should publish information about where their mail
comes from. There are three cases:

An email verifies with SPF or DKIM or similar - the callback may be
regarded as pointless, but it should not be unwelcome. Bounces,
autoreplies, and so on should all be acceptable.

SPF, DKIM or similar tests fail. Don't do the callback, don't accept the
message. If you do accept the message, make sure that it is not later
bounced, and that autoreplies aren't sent.

SPF, DKIM, or similar tests are inconclusive. In an ideal world, we'd never
see any such email. What you do here depends on your mood. As the world
moves to more widespread adoption of technologies that allow us to detect
spoofing, you'll find yourself here less frequently. Callouts, bounces and
autoreplies should encourage people to deploy such technologies. I'd that
we should defend the utility of e-mail by being unembarrassed about
auto-replies and callouts when we can't verify the domain. In time, we
should lose our inhibition about bouncing messages of uncertain origin;
when they fail other spam tests. Perhaps, one day, all legitimate email
will pass spf, dkim or similar tests.


> Tony Finch mentioned at some point toying with BATV but suggested signing
> the domain rather than the local part. It requires more infrastructure,
> such as a trick dns server to host the subdomains which are signed, but
> it could be a way for BATV to be used as an authenticity test without
> leading to the heavy penalties to the domain owner of SCV. I think it
> might have other disadvantages such as a big impact on caching resolvers
> and dns traffic, possibly even decreased reliability. But it seems to me
> that dns scales a lot better than smtp servers, given the number of RBLs
> using it as a mechanism to publish very dynamic data.




--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/