--On 31 August 2009 21:58:36 +0300 Pavel Gulchouck <gul@???> wrote:
> On Mon, Aug 31, 2009 at 08:59:32AM +0900, Anthony G. Nickolayev writes:
>
>>> Is it possible to specify source interface for callout check?
>> Be carefull with sender callout verification. Take a look at this
>> http://www.backscatterer.org/?target=sendercallouts
>
> Thank you.
> And what about resolving sender domain? Sending icmp echoreply,
> icmp unreachable? Sending 25/tcp synack? ;-)
> All this things can be used for DDoS-attacks.
> I don't agree with the backscatterer.org point about callout.
>
Me too, but you can do this: check SPF first. If you get a "fail" result,
then definitely don't do the callout. If you get a "pass" result, then your
callout is lightweight compared with the mail that's being pushed to your
system, so the sender shouldn't mind you doing the callout. The benefit of
using a callout when you get an SPF pass is that you get to test the
brokenness or otherwise of the sending system (it's broken if they're
sending mail with a return-path that can't be used to return mail).
For soft fail? It's harder to decide what's right. Not doing the callout
rewards the sender (who has tried to help you by publishing SPF records).
Doing the callout encourages move toward use of "-all" records. Given that
exim caches callout results, I don't think there's much in it either way.
--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see
http://www.sussex.ac.uk/its/help/