Philip Hazel wrote: > On Tue, 17 Oct 2006, Rene Marticke wrote: > > >> let me explain two scene why this callouts are abuse. >> >> 1. >> [EMAIL PROTECTED] send mail to [EMAIL PROTECTED] >> --> domB callout whith [EMAIL PROTECTED] if [EMAIL PROTECTED] is valid. >> --> domA use callout to -> so call domB if [EMAIL PROTECTED] is a valid >> user .... loop >> > > That is precisely why Exim does *not* do a callout with [EMAIL PROTECTED] > to verify a sender. It does the callout with "<>" as the sender. We've > had this discussion several times. There are some options for varying > the callout sender for recipient verifications (when one is generally > talking to another of your own MTAs), but not for sender verifications. > >
You know what would be handy is some built in code to deal with dictionary attacks. I can see a situation where a third party could get hammered by verifying a dictionary attack. In my case I have a crude solution. After a few bad email addresses I return defer on that IP for the remainder of the 5 minute period. That tends to stop/minimize dictionary collateral damage. It would be nice if Exim had something better built in specifically to deal with dictionary attacks. There should be some sort of limit so that if you need to do a lot of verification callouts for a specific domain in a short period of time that you could rate limit it. -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
