On Oct 17, 2006, at 6:30 PM, Dean Brooks wrote: > On Wed, Oct 18, 2006 at 12:15:36AM +0100, Andrew - Supernews wrote: >>>>>>> "Renaud" == Renaud Allard <[EMAIL PROTECTED]> writes: >> >> Renaud> In a perfect world we would need neither callouts neither >> Renaud> blacklists as people wouldn't send spam in the first >> Renaud> place. But we are not in a perfect world. >> >> Trying to block spam by using other people's resources without >> permission is just as bad as sending spam. > > Just throwing in my opinion here, but I totally agree with Andrew on > this one. Sender verification callouts without first ensuring the > sender is sourcing from an authorized host (via SPF or other means) is > essentially as bad as spamming. Those callouts are using resources > that provide no benefit to the owner of the resources being used.
Yes they do provide benefit. They prevent prevent full-fledged DSNs in some cases. And when you advertise an MX record, ie, make yourself responsible to the world for a specific email address, you are also volunteering to guarantee that the address is a real address. You cannot have your cake and eat it too. > > Anyone who has run a very active mail server will tell you that > callouts can use *enormous* amounts of resources if amplified > appropriately. Denial of service would be very easy with only a few > sites doing callbacks and an agressive forger. The only reason this > doesn't happen more often is very few sites use callouts (thankfully). > > People who use callouts should not complain if they end up getting > blocked. If you use my server resources in a transaction where our > organization or our customers receive no benefit, then you are > commiting essentially the same ethical (if not legal) crime as a > spammer. No, that is not true. You are missing the point that you have volunteered to be responsible for that email address which includes proving it is a valid one to people who need to know. YOU are responsible for what happens with your email address. If you cannot stop spam users from forging it, then you have to provide a means to verify if it is a legit address and do all you reasonable can to protect people from mis-use. If you do all that you can to prevent mis-use, then legitimate mis-use that is impossible to stop can be excused. But only if you do all that you can. Like owning a car. If you own a car and do not lock it, leave it running with the keys in, etc and someone steals it and runs in to someone else, it is very possible that you can be held responsible because you did not do everything you could to safeguard your car and prevent illegal access to it. However, if you leave it locked, possibly garaged, and it is nevertheless stolen, you can use a valid defense that you did all that you were expected to do to safeguard it. That is part of the social compact of the internet. Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
