Ok - I'm changing the subject line here to fork this topic. The issue is sender verification during a dictionary attack. If someone was faking a lot of different addresses at domain.com trying to send spam them my server would do callouts trying to verify email addresses and could cause a lot of collateral traffic.
I personally am vulnerable to this in that I do front end spam filtering for some domains that get a huge amount of spam. These domains sometimes have catchall account so that the recipient address can't be verified, which is something I do first Duplicate requests are cached so as to reduce sender verifies but if they are faking the from addresses then it could cause a lot of requests to be generated. Generally in this situation I have to require a list of good email addresses and/or elimination of catchall addresses. But that's not pretty. So - the idea is to somehow limit the number of verify callouts to one domain. Cached callouts wouldn't could against the total. Only unique callouts would count and perhaps limit it to some reasonable level. When the level is hit then Exim would return a defer and that will generally end a dictionary attack. Good email addresses in cache wouldn't be affected. Only uncavhed would trigger it. That's my initial thoughts on this. Anyone else have any ideas? > -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
