[nSLUG] Whither to bounce unknown recipient address?
D G Teed
donald.teed at gmail.com
Thu Aug 30 20:56:44 ADT 2007
On 8/30/07, Bill Davidson <billdavidson at eastlink.ca> wrote:
> Sure, your DNS setup is reliable, but it doesn't cache all of the DNS tree,
> and there are lots of zones out there for which an authoritative server
> might not be available for some reason. The point is, SMTP is supposed to
> work in the face of DNS failures, and that is why rejects based on such
> lookup failures are usually 4xx "Try again later".
Good point, but at least legit senders get a bounce quickly, as it is.
> Earlier you wrote:
> > the change I was considering would be a
> > significant change as it would mean someone sending
> > in email with a typo of the user address gets no response,
> > as if it had delivered.
> I disagree. If the mail is legit then it is relayed through the sender's
> MTA, and if you reject their mail as undeliverable, which you should, then
> *their* MTA will notify them that their mail could not be delivered because
> your server said "550 User unknown".
> Of course, in my experience, the user will then insist that there is
> *nothing* wrong with the address they used and your mail server is wrong!
You are correct. I misunderstood what this reject change would do.
I see it causes the sender's MTA to send the bounce, so it is cool.
It appears there is nothing equivalent for other types of bounces
for other failures which would come from our MX.
On the postfix list, I have learned of a very simple grey list approach.
One makes a simple DNS entry and iptables rule and most spam is confused.
I like it better than other grey listing I've read about as there is
no whitelist database, and the retry can be very quick.
Might be a temporary success, until the spammers map this out.
> ----- Original Message -----
> From: "D G Teed" <donald.teed at gmail.com>
> To: "Nova Scotia Linux User Group" <nslug at nslug.ns.ca>
> Sent: Thursday, August 30, 2007 3:33 PM
> Subject: Re: [nSLUG] Whither to bounce unknown recipient address?
> > The DNS checks are reliable. My DNS server has as much
> > chance of breaking as postfix, and it uses a local machine
> > server, so it is all in one boat. Anyway, given what I saw
> > today coming from bot nets in Korea, Turkey and Russia, I suspect
> > DNS rejects are just another back scatter method.
> > I think the best solution will be to change the bounce template
> > so that minimal content goes back.
> > --Donald
> > On 8/30/07, Ian Campbell <ian at slu.ms> wrote:
> >> On Thu, Aug 30, 2007 at 03:14:32PM -0300, D G Teed wrote:
> >> > Thanks for the tips. We've got amavisd+SA , RBL+,
> >> > clamav, reject from reverse DNS failure and
> >> > many more configurations to defeat spammers.
> >> > SPF and DKIM are on my to do list.
> >> Be careful with permanent rejections based on DNS checks. If your DNS
> >> breaks, you might be losing mail if your DNS breaks.
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.4.6 (GNU/Linux)
> >> iD8DBQFG1woj61BeoG+rnd4RAtyvAJ9gFmaiNO4s+M0m1m4iPug2QrhZGQCgif7Y
> >> pnbYgEPxJYAic228tXk0420=
> >> =Z9FI
> >> -----END PGP SIGNATURE-----
> >> _______________________________________________
> >> nSLUG mailing list
> >> nSLUG at nslug.ns.ca
> >> http://nslug.ns.ca/cgi-bin/mailman/listinfo/nslug
> > _______________________________________________
> > nSLUG mailing list
> > nSLUG at nslug.ns.ca
> > http://nslug.ns.ca/cgi-bin/mailman/listinfo/nslug
> > --
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.5.484 / Virus Database: 269.13.0/980 - Release Date: 8/30/2007
> > 6:05 PM
> nSLUG mailing list
> nSLUG at nslug.ns.ca
More information about the nSLUG