--On 31 August 2009 21:58:36 +0300 Pavel Gulchouck <[email protected]> wrote:
> On Mon, Aug 31, 2009 at 08:59:32AM +0900, Anthony G. Nickolayev writes: > >>> Is it possible to specify source interface for callout check? >> Be carefull with sender callout verification. Take a look at this >> http://www.backscatterer.org/?target=sendercallouts > > Thank you. > And what about resolving sender domain? Sending icmp echoreply, > icmp unreachable? Sending 25/tcp synack? ;-) > All this things can be used for DDoS-attacks. > I don't agree with the backscatterer.org point about callout. > Me too, but you can do this: check SPF first. If you get a "fail" result, then definitely don't do the callout. If you get a "pass" result, then your callout is lightweight compared with the mail that's being pushed to your system, so the sender shouldn't mind you doing the callout. The benefit of using a callout when you get an SPF pass is that you get to test the brokenness or otherwise of the sending system (it's broken if they're sending mail with a return-path that can't be used to return mail). For soft fail? It's harder to decide what's right. Not doing the callout rewards the sender (who has tried to help you by publishing SPF records). Doing the callout encourages move toward use of "-all" records. Given that exim caches callout results, I don't think there's much in it either way. -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
