No reason not to use reject_unverified sender (was Re: reject_unverified_sender vs greylisting)

From: Joo Miguel Neves (no email)
Date: Tue Feb 10 2009 - 13:49:05 EST

  • Next message: Joo Miguel Neves: "Re: how to accept some addresses but relay the rest?"

    Charles Marcus escreveu:
    > Here's a link informing why indiscriminate use of SAV is bad, and what
    > it should be used for:
    >
    > http://www.backscatterer.org/?target=sendercallouts
    OK, I've finished reading and analyzing that text. My conclusion is that
    there's no reason not to use reject_unverified sender.

    In this answer I'm assuming 1) the postfix implementation of SAV and
    that any implementation and 2) that MTAs implement the RFCs (so they
    have a configuration that matches, for instance, the Book of Postfix).

    There are 3 claims in that text:

    1) That by disabling VRFY, a sysadmin has decided to disable all kind of
    email address verification.

    Most people disabled VRFY to prevent spammer tests for email addresses,
    nothing else. If you want to disable all tests for email addresses you
    accept all email for all email addresses, even non-existing ones and
    later discard the invalid ones. That's the only way to do it (and the
    reason why some of my clients are using catch-all addresses that they
    redirect to /dev/null).

    2) That a spammer can create a DDOS using SAV.

    You'll get a connection per server to which those were sent (postfix
    caches the request, so it will only validate an email adress once).

    SAV actually helps reduce the effect of the DDOS attack. In the non-SAV
    scenario, you get 30 million bounce messages. In the SAV cenario, each
    server does one check per email adress (that costs you less bandwidth
    and disk space than a Bounce message) and that single check will avoid
    several bounce messages.

    3) That SAV might create a loop.

    The SAV check in postfix is done with the postmaster address by default.
    If the target server does the same check back, then the SAV server
    replies that postmaster is valid (assuming it's well-configured and
    RFC-compliant).

    Have I missed anything?

    -- 
    Intraneia
    http://www.intraneia.com/
    Suporte a Software Livre
    Traduo/Localizao de software e stios web
    Desenvolvimento de software
    Ao seu servio...
    

  • Next message: Joo Miguel Neves: "Re: how to accept some addresses but relay the rest?"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD