Re: [exim] Sender callout verification on BATV signed addres…

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: David Saez Padros
Data:  
Para: Ian Eiloart
CC: exim-users, Richard Salts
Assunto: Re: [exim] Sender callout verification on BATV signed addresses
Hi

we use callbacks on a similar way, we do not do the callback
if the incoming mail passes spf, dkim is not used to prevent
callbacks because we do callbacks at RCPT time and dkim needs
to reach DATA, we also use whitelisting to prevent callouts too

> --On 14 May 2009 11:20:31 +1000 Richard Salts <exim@???> wrote:
>
>> On Wed, 22 Apr 2009 06:09:13 Bryan Rawlins wrote:
>>> So my question is, and I'm strictly looking for personal opinions here;
>>> Are callout/callback verifications on the envelope sender when that
>>> sender is signed more acceptable than just doing them in general?
>
> If people don't want callback verifications to their sites in response to
> spoofed email, then they should publish information about where their mail
> comes from. There are three cases:
>
> An email verifies with SPF or DKIM or similar - the callback may be
> regarded as pointless, but it should not be unwelcome. Bounces,
> autoreplies, and so on should all be acceptable.
>
> SPF, DKIM or similar tests fail. Don't do the callback, don't accept the
> message. If you do accept the message, make sure that it is not later
> bounced, and that autoreplies aren't sent.
>
> SPF, DKIM, or similar tests are inconclusive. In an ideal world, we'd never
> see any such email. What you do here depends on your mood. As the world
> moves to more widespread adoption of technologies that allow us to detect
> spoofing, you'll find yourself here less frequently. Callouts, bounces and
> autoreplies should encourage people to deploy such technologies. I'd that
> we should defend the utility of e-mail by being unembarrassed about
> auto-replies and callouts when we can't verify the domain. In time, we
> should lose our inhibition about bouncing messages of uncertain origin;
> when they fail other spam tests. Perhaps, one day, all legitimate email
> will pass spf, dkim or similar tests.
>
>
>> Tony Finch mentioned at some point toying with BATV but suggested signing
>> the domain rather than the local part. It requires more infrastructure,
>> such as a trick dns server to host the subdomains which are signed, but
>> it could be a way for BATV to be used as an authenticity test without
>> leading to the heavy penalties to the domain owner of SCV. I think it
>> might have other disadvantages such as a big impact on caching resolvers
>> and dns traffic, possibly even decreased reliability. But it seems to me
>> that dns scales a lot better than smtp servers, given the number of RBLs
>> using it as a mechanism to publish very dynamic data.
>
>
>


--
Salu-2 y hasta pronto ...

----------------------------------------------------------------
    David Saez Padros                http://www.ols.es
    On-Line Services 2000 S.L.       telf    +34 902 50 29 75
----------------------------------------------------------------