Re: [exim] verify_sender

Top Page
Delete this message
Reply to this message
Author: Russell Robinson
Date:  
To: exim-users
Subject: Re: [exim] verify_sender
Hi Bill,

On Sat, 15 May 2010 06:16:06 pm W B Hacker wrote:
> Short answer is 'you cannot'. Not with enough reliability to matter.
>
> Best use is within a grouping of MTA/relays that are all part of a
> cooperative group - eg - single-control 'pool', or an affinity group, such
> as a globally distributed F/OSS software project, a body corporate, an
> institution - anywhere 'family members' are expected to present credentials
> to be allowed to pass, and the Sysadmins have agreed on how so.
>
> Doing sender verification attempts to any correspondent MTA with which you
> do NOT have such an expectation in-place - read 'the world at large' - will
> seldom get you a reliable response.
>
> ... and may get your calling MTA blacklisted for what some sysadmins
> consider unwelcome probes - even abuse of their resources.


I'm not sure that's right.

The problem is there are spam traps out there and if you send email to them
you get blacklisted.

Now, a spammer or malicious person can send you an email claiming to be from
one of these spam traps.

From my research, the correct way to handle this is to verify that the sender
is a valid email address.

If you do an SMTP "rcpt" request against that email address, the spam trap
server will tell you it's not a valid email address. So, you should not send
to it, and, of course, you (EXIM) should not receive the email it wants to
send you.

This can be done at the connect stage when the spammer connects to EXIM to
attempt to send you the spam.

Here's an article that explains it:
    http://www.dontbouncespam.org/


>
> BTW - You should be at not less than 4.6X if 4.7X will not build for you.
>
> 4.43 is pretty stale, and there are both needful new features and
> bug/security fixes since it was current.
>


Yes. The problem is that there is no RPM for Centos 4.8 that I can find later
than 4.43.

I'll try compiling 4.6X.

--
Russell Robinson (russellr@???)