On Thu, 18 May 2006, Dave Lugo wrote: > I'm glad it helps you, but for the folks[1] with domains that > are heavily forged by spammers, the callbacks themselves are > a additional DoS they have to deal with.
One should definitely use other strategies to keep out the bulk of abusive mail. One should certainly *not* apply callout as a blanket strategy[1]. But I still reckon that it can be a useful tool for dealing with a range of otherwise doubtful cases. At least if spammers are reasonably consistent about their faked sender addresses, exim will cache the result(s) of its test(s) and re-use them. But if the localparts don't repeat, then indeed it's heading into denial of service territory, that can't be denied. Some kind of rate limiting is needed, or a cumulative score of bad sender addresses, leading to blacklisting of the offering MTA, to reduce the risk. regards [1] by the way, we've seen quite a few cases of what are otherwise bona-fide mailing lists, with content which users actually wanted to receive, that were being sent by bulk mailers using purported sender addresses in their own domain, but which they rejected on callout. I say it serves them right that we rejected some of these mailings, until the problem came to light. -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
