Author: Russell Robinson Date: To: exim-users Subject: Re: [exim] verify_sender
Hi,
On Sat, 15 May 2010 11:10:53 pm Lena@??? wrote: > "verify=sender" checks domain only. If it allows invalid domains
> then either an "accept" succeeded before this "require" or
> blame the NS you use.
OK.
> An attempt to check existence of a mailbox (i.e. to check whole
> email address, not only domain) requires connection with the MX
> and giving HELO, MAIL, RCPT commands - that is called "callout" in Exim.
> Callouts to each sender is considered abuse and can cause you blacklisted.
Really?
Then how do you handle this case?
1. Spammer Sam attempts to send you an email with forged
address "spamtrap@???".
2. Exim verifies sender and accepts the email because spamtraps.org is a valid
domain (from what you've said).
3. You reply to the email because it looks like a genuine enquiry (or maybe
you have an automated "out of office" reply or similar).
4. You're blacklisted for sending email to a spam trap.
The correct action, as I understand it, is to check
that "spamtrap@???" is a valid email address (if you try,
spamtraps.org will report 550 error - not a valid address) not just a valid
domain at step 2.
You then reject the email at connection and you don't receive the spam, and
you don't reply to it.