this causes Imail to reject mail from: @smathersthompson.com since A + MX queries for smathersthompson.com timeout, but that domain exists in delegation records of *.gtld-servers.net.
This is not a huge hit on our rejects but it does hurt. eg, yesterday, I mentioned the restriction_class logic of "If no PTR AND no HELO hostname, then reject" is pretty useless since spammers can 1. send from IP with no PTR (but we will eventually refuse on this sole criteria as we raise the credentials) 2. send MAIL FROM:<> (null sender) so we can't check the domain in DNS 3. HELO host.bogusbogus.(net|com) command which is, thanks to versigin, eternally valid, so accept the spam. In the 4tuple with three useless-for-verification fields, the only protection is RCPT TO: being unknown recipient, and, if you get that tough, rejecting only for no PTR. Other tactics to get around verisign's dirty greed are: 1. an smtpd delegation policy routine that queries DNS for the A record of mail from: and helo domains and rejects the msg if the the A record is verisign Class C. that blocks them in real-time 2. once every 2 hours or per day, take all the MAIL FROM: and HELO domain names from 4tuple records, query DNS, if versign A record returned, then blacklist the MTA IP in the 4tuple record if that IP is caught doing that above <threshold number>. this is BETTER than just rejecting single spams in real time since the IP is permanently blocked for all time and for all traffic. Len
