--On 18 October 2006 10:46:49 +0200 Renaud Allard <[EMAIL PROTECTED]> wrote:
> > Indeed, but, as mentioned before, some will argue that if the spf is > false you have no right to use their resources to verify things as it is > probably a spam. And if spf != pass && spf != false (IE: not defined) > you still have no right to do a callout as you could be a player in a > ddos. If a spammer has registered a domain, and is using that domain for sender addresses, then there are a few possibilities: 1. They provide accurate MX records pointing to a host that they have access to. In this case, callouts aren't going to hurt anyone - except perhaps other users of that host. 2. They provide fake MX records, pointing to some other SMTP host. In this case, the old arguments apply - the callouts will block spam, at some cost to the host's owner, but at less cost than bouncing messages. Marc Perkel's idea about rate limiting callouts per domain could be useful here. 3. They provide fake MX records, pointing to a host that is NOT an SMTP host. In this case - I think - Exim will cache the connection failures for the domain, and all the spam directed at a particular host will be blocked at the cost of a single dropped connection per callout_domain_negative_expire (which defaults to 3 hours). At least, I think that's true. Section 39.34 says this is true of rejects before RCPT TO, but doesn't say what happens when the connection fails. -- Ian Eiloart IT Services, University of Sussex -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
