On Mon, 31 Mar 2003 09:42:34 -0700, [EMAIL PROTECTED] (Dan Meigs) wrote: >Jesse, > >Before you go down a path aimed at "virtually no lost legitimate mail." >Please consider the following cautionary tale. > >I administer a qmail server using TMDA to reduce spam.
Neat. Me too. TMDA is a great program. > The system works >great with very few spam messages getting through. However, like you, I >wanted to reduce the load on the server replying to bogus e-mail addresses. >So I used the "tcpserver -p" method to perform reverse DNS lookups on >incoming connections. Then I refused connections to servers that failed the >lookup ($TCPREMOTEHOST not set) with a "451 bad reverse DNS" message. > >The results seemed stellar. My users weren't receiving spam, and my server >wasn't working nearly as hard tying up bandwidth with messages to bogus >e-mail addresses and the associated bounce messages. > >Unfortunately, I began getting complaints from users saying "How come Joe >Blow can't send me e-mail?" It turns out that the tcpserver approach was not >sufficiently reliable to prevent false positives, and the occasional >legitimate e-mail was being bounced. Furthermore, Joe Blow was getting a >bounce message saying it was a "permanent fatal error" leading him to think >my user's e-mail address was no longer good. Yeah. That's definately no good. I think the primary difference between my suggested approach and requiring reverse DNS is that my approach will only deny mail if the user is definitively NOT legitimate. In other words, I'll only permanently deny mail if a RCPT TO: probe for the sender's mail address fails. I realize that DNS can go down or react slowly sometimes, and I fully agree with you that at most the message should only be temporarily rejected if a DNS probe fails. Now, allow me to interject something here: Since I originally wrote the message you just replied to I have actively sought commentary from two other related mailing lists: qmail and tmda-workers. The qmail list actually (and this surprised me) seemed very receptive to the idea of a reverse SMTP probe. The only problem with implementing it in qmail is that it would take a bit of work. Jason, TMDA's primary author originally refused all of my proposals for a TMDA specific system to automate bounce handling for pending queue messages (which is what originally sparked this idea for me. I had a massive amount of email in my pending queue which bounced no more than a second after it arrived). However, Jason later proposed to insert a reverse SMTP probe at the pending queue level (rather than try to drop based on bounces). This new idea is very intriguing. Basically, any message that makes it to the pending queue (or doesn't make it to your inbox, depending on how you look at it) would be piped through a Python, Perl, or C program that would extract the sender address and attempt a reverse SMTP probe. If the probe definitively indicates that the user doesn't exist on the specified host, then TMDA drops the email from the pending queue. I think this new idea may turn out to be the best solution for TMDA users like you and me. <snip> >> -- >> Jesse Guardiani, Systems Administrator >> WingNET Internet Services, >> P.O. Box 2605 // Cleveland, TN 37320-2605 >> 423-559-LINK (v) 423-559-5145 (f) >> http://www.wingnet.net >> >> We are actively looking for companies that do a lot of long >> distance faxing and want to cut their long distance bill by >> up to 50%. Contact [EMAIL PROTECTED] for more info. > -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net We are actively looking for companies that do a lot of long distance faxing and want to cut their long distance bill by up to 50%. Contact [EMAIL PROTECTED] for more info.
