Author: W B Hacker Date: To: exim users Subject: Re: [exim] Sender verification failing sometimes
Ian Eiloart wrote: >
> On 14 Jun 2011, at 05:24, Phil Pennock wrote:
>
>> On 2011-06-13 at 00:32 +0000, Michael Jimenez wrote:
>>> So I've been looking at my mail server mainlog for the past
>>> couple of days watching mail come in and out, I've noticed that
>>> this Microsoft address keeps failing to verify:
>>
>> You're using sender *callout* verification to systems not under
>> your administrative control. This is regarded by many as abusive,
>> and will get you placed on various blacklists.
>
> Is that true? I've not experienced it, in several years.
It might not be obvious *why* one's server was rejected - and need not
be an LBL.
>
>> The larger providers have rate-limits and other DoS filters; so
>> when an MSN address is spoofed and you keep hitting their
>> mail-servers with checks on mails they didn't send, you'll exceed
>> ratelimits and get fast-failed: they're rejecting you attempting to
>> deliver to them, which you're interpreting to mean that the address
>> is invalid.
>
> That's not likely to happen. Exim's result caching means you're not
> going to be making frequent callouts regarding a single address. In
> theory, it could happen if spammers were attempting to deliver to you
> from many different addresses in the same domain, in rapid
> succession. However, you could -and should- mitigate against that by
> doing callouts late.
>
>> Sender callouts are best suited for use to systems under your own
>> control.
>
Seconded.
Abuse/not issue quite aside, without prior arrangements within a
cooperative pool under common control or at least shared goals, you
aren't necessarily going to get anything useful *anyway*.
A simple 'delay=' longer than your callout response waiting period
renders the callout useless, yet has left both MTA hanging on TWO teats.
If you require a hard-pass, it has also blocked the transfer.
Every time. "..walks like a duck....." - looks like a Blacklist.
A limitation on simultaneous connections from a given IP can even block
outright and 'right now' at busier times. Looks like a BL on some, not
all members of a pool. Might be exactly what the OP was hitting.
Callout might be 'cheaper' than syncing user DB's among a pool of
servers.. Sometimes. Maybe.
.. but otherwise?
More pain than gain, even among the tolerant.
A 'bot - presuming rDNS failure - would be unable to respond favorably,
even if programmed to do so (trivial).
But a credentialed commercial advertising spam-engine that DOES pass
rDNS is MORE likely to respond favorably than a moderately well-armed
MTA - potentially rewarding or penalizing exactly the wrong folk.
