On Fri, 28 Oct 2005, Ian FREISLICH wrote: > Ah, you folk in acedemia might not then have encountered the argument > from a paying customer "I don't care if the admin of the site hosting > my prospective customer is a fool, your decision to not accept their > mail on the basis of the failed callout is costing me potential > business".
Since you can't reliably tell the difference between a spammer, and a misconfigured but otherwise bona fide sender, you'd have to accept everything that was offered, and leave it to the recipient to decide. Our users would not tolerate that - they are overwhelmingly supportive of our anti-spam efforts - I'd go further, they positively *demand* it of us; the number of complaints received from our own users about rejection of bona fide mail offers is very small, and usually the explanations we give them are well-received. The most recent complaints that I can recall, on the other hand, from would-be senders themselves were, in fact, people presenting their own *.gov sender addresses but trying to send direct-to-MX mail from their US domestic DSL accounts. I don't know about you, but when presented with such a scenario I would definitely "smell a rat". > And that is a nice intellectualisation. [...] > What I don't get is why you (and many others) think it's OK to: > 1. Steal resources. Because we play our own part in responding to callouts when our own domains are faked as senders by the spammers (which they heavily are)? > 2. Participate in a DDoS attack (of innocents to boot). I must stress that callout is pretty much a last-resort in the RCPT ACL. There are plenty of earlier opportunities for us to reject a RCPT offer without bothering a third party in that way. While it's possible to devise the kind of DDoS scenario that you mention, we have a number of countermeasures which I suspect would be more likely to make our own server unresponsive (with the max number of exim processes having rejected abusive requests and then applying a time delay) before we'd managed to DoS anyone else. And callout certainly is not our default - it's only used in selected circumstances. But yes, your point is taken, and if you are opposed *in principle* to this approach then I appreciate that there is nothing I can say that will satisfy you. regards -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
