Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

Sender callout verification on BATV signed addresses

  

 
First page Previous page 1 2 3 Next page Last page  View All exim users RSS feed   Index | Next | Previous | View Threaded


bryan.rawlins at onlymyemail

Apr 21, 2009, 1:09 PM

Post #1 of 55 (3266 views)
Permalink
Sender callout verification on BATV signed addresses
It seems that BATV/PRVS is becoming more and more common in our incoming
mail stream.
http://www.exim.org/exim-html-current/doc/html/spec_html/ch40.html#SECTverifyPRVS

Currently it appears that a signed return path is a rarity in UCE,
however as we all know it's probably only a matter of time before that
changes.

So my question is, and I'm strictly looking for personal opinions here;
Are callout/callback verifications on the envelope sender when that
sender is signed more acceptable than just doing them in general? I
know SCV in general is a hot topic, I don't wish to rehash it's good/bad
points, just wonder it people whom are generally against it would be
more amiable if it was only done one signed return paths.

--
Bryan Rawlins
OnlyMyEmail, Inc.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dlugo at etherboy

Apr 21, 2009, 1:16 PM

Post #2 of 55 (3187 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
On Tue, 21 Apr 2009, Bryan Rawlins wrote:
>
> So my question is, and I'm strictly looking for personal opinions here;
> Are callout/callback verifications on the envelope sender when that
> sender is signed more acceptable than just doing them in general? I
> know SCV in general is a hot topic, I don't wish to rehash it's good/bad
> points, just wonder it people whom are generally against it would be
> more amiable if it was only done one signed return paths.
>

I'm not signing (at home) yet, but I'd still be
against it.

(if anything, they'd be less acceptable - someone
trying to ID bogus bounces, and you want to increase
his connect load, seems wrong)

--
--------------------------------------------------------
Dave Lugo dlugo [at] etherboy LC Unit #260 TINLC
Have you hugged your firewall today? No spam, thanks.
--------------------------------------------------------
Are you the police? . . . . No ma'am, we're sysadmins.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at lists

Apr 21, 2009, 2:32 PM

Post #3 of 55 (3183 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
Bryan Rawlins wrote:

> It seems that BATV/PRVS is becoming more and more common in our incoming
> mail stream.
> http://www.exim.org/exim-html-current/doc/html/spec_html/ch40.html#SECTverifyPRVS
>
> Currently it appears that a signed return path is a rarity in UCE,
> however as we all know it's probably only a matter of time before that
> changes.
>
> So my question is, and I'm strictly looking for personal opinions here;
> Are callout/callback verifications on the envelope sender when that
> sender is signed more acceptable than just doing them in general? I
> know SCV in general is a hot topic, I don't wish to rehash it's good/bad
> points, just wonder it people whom are generally against it would be
> more amiable if it was only done one signed return paths.

Heh. The people who are against sender callout verification are
generally against it under *ANY* circumstance and wouldn't be willing to
even consider entertaining a situation where it might be acceptable.

It's an interesting thought, but I personally wouldn't bother
considering it unless spammers actually start to pretend their emails
are BATV signed. I don't think that will happen.

--
Mike Cardwell
(https://secure.grepular.com/) (http://perlcv.com/)

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbh at conducive

Apr 21, 2009, 5:26 PM

Post #4 of 55 (3185 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
Bryan Rawlins wrote:
> It seems that BATV/PRVS is becoming more and more common in our incoming
> mail stream.
> http://www.exim.org/exim-html-current/doc/html/spec_html/ch40.html#SECTverifyPRVS
>
> Currently it appears that a signed return path is a rarity in UCE,
> however as we all know it's probably only a matter of time before that
> changes.
>
> So my question is, and I'm strictly looking for personal opinions here;
> Are callout/callback verifications on the envelope sender when that
> sender is signed more acceptable than just doing them in general? I
> know SCV in general is a hot topic, I don't wish to rehash it's good/bad
> points, just wonder it people whom are generally against it would be
> more amiable if it was only done one signed return paths.
>
> --
> Bryan Rawlins
> OnlyMyEmail, Inc.
>

As you asked for 'opinion'...

We do not make sender-verification callouts of any kind.

We might do if we had a 'pool' of servers under our own control and had
no better way to sync user DB's - but we DO have a better way..

We do 'permit' others to query us for generalized sender-verification.
so long as the query itself comes from a server that passes the same
strict tests as any other incoming connection.

And therein lies a tale.

Heiko S. (who has just posted his rules) cannot send to me nor I to him.

- his server makes a SV callout to mine if/as/when I send.

- my server rejects the connection based on dodgy characteristics of HIS
server. As it would do if he tried to send a message to me.

Catch 22 ...

Bill Hacker






--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dean at iglou

Apr 21, 2009, 6:08 PM

Post #5 of 55 (3173 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
On Tue, Apr 21, 2009 at 04:09:13PM -0400, Bryan Rawlins wrote:
> So my question is, and I'm strictly looking for personal opinions here;
> Are callout/callback verifications on the envelope sender when that
> sender is signed more acceptable than just doing them in general? I
> know SCV in general is a hot topic, I don't wish to rehash it's good/bad
> points, just wonder it people whom are generally against it would be
> more amiable if it was only done one signed return paths.

Coming from the perspective of an email admin for a medium-sized
regional Internet provider, external hosts that do callbacks against
our mail servers are immediately blocked. It's essentially an
instant-ban for a brief period of time.

You asked for personal opinions, so here's mine: There is never a
single instance where sender callouts are ever acceptable unless you
have prior permission from the remote host.

Callouts are quite reasonable, and useful, within your own email network
however.

--
Dean Brooks
dean [at] iglou




--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dlugo at etherboy

Apr 21, 2009, 6:42 PM

Post #6 of 55 (3173 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
On Wed, 22 Apr 2009, W B Hacker wrote:
>
> And therein lies a tale.
>
> Heiko S. (who has just posted his rules) cannot send to me nor I to him.
>
> - his server makes a SV callout to mine if/as/when I send.
>
> - my server rejects the connection based on dodgy characteristics of HIS
> server. As it would do if he tried to send a message to me.
>
> Catch 22 ...
>
> Bill Hacker
>

Just WL each other already. No filtering scheme
will be perfect, you have to be able to add
exceptions.

--
--------------------------------------------------------
Dave Lugo dlugo [at] etherboy LC Unit #260 TINLC
Have you hugged your firewall today? No spam, thanks.
--------------------------------------------------------
Are you the police? . . . . No ma'am, we're sysadmins.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbh at conducive

Apr 21, 2009, 6:56 PM

Post #7 of 55 (3172 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
Dave Lugo wrote:
> On Wed, 22 Apr 2009, W B Hacker wrote:
>> And therein lies a tale.
>>
>> Heiko S. (who has just posted his rules) cannot send to me nor I to him.
>>
>> - his server makes a SV callout to mine if/as/when I send.
>>
>> - my server rejects the connection based on dodgy characteristics of HIS
>> server. As it would do if he tried to send a message to me.
>>
>> Catch 22 ...
>>
>> Bill Hacker
>>
>
> Just WL each other already. No filtering scheme
> will be perfect, you have to be able to add
> exceptions.
>

Eaily done, of course, given that we have - through this list, for
example - 'awareness' of each other as other-than spammers.

My point, however, was that 'even if' sender-callouts are permitted,
they can fail for reasons that have naught to do with whether the target
permits / responds to them or not.

That may result in the call-ing server remaining unaware of the *other*
reasons.

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim at spectralmud

May 13, 2009, 6:20 PM

Post #8 of 55 (3018 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
On Wed, 22 Apr 2009 06:09:13 Bryan Rawlins wrote:
> So my question is, and I'm strictly looking for personal opinions here;
> Are callout/callback verifications on the envelope sender when that
> sender is signed more acceptable than just doing them in general?
Tony Finch mentioned at some point toying with BATV but suggested signing the
domain rather than the local part. It requires more infrastructure, such as a
trick dns server to host the subdomains which are signed, but it could be a
way for BATV to be used as an authenticity test without leading to the heavy
penalties to the domain owner of SCV. I think it might have other
disadvantages such as a big impact on caching resolvers and dns traffic,
possibly even decreased reliability. But it seems to me that dns scales a lot
better than smtp servers, given the number of RBLs using it as a mechanism to
publish very dynamic data.


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


iane at sussex

May 14, 2009, 3:34 AM

Post #9 of 55 (3023 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
--On 14 May 2009 11:20:31 +1000 Richard Salts <exim [at] spectralmud> wrote:

> On Wed, 22 Apr 2009 06:09:13 Bryan Rawlins wrote:
>> So my question is, and I'm strictly looking for personal opinions here;
>> Are callout/callback verifications on the envelope sender when that
>> sender is signed more acceptable than just doing them in general?

If people don't want callback verifications to their sites in response to
spoofed email, then they should publish information about where their mail
comes from. There are three cases:

An email verifies with SPF or DKIM or similar - the callback may be
regarded as pointless, but it should not be unwelcome. Bounces,
autoreplies, and so on should all be acceptable.

SPF, DKIM or similar tests fail. Don't do the callback, don't accept the
message. If you do accept the message, make sure that it is not later
bounced, and that autoreplies aren't sent.

SPF, DKIM, or similar tests are inconclusive. In an ideal world, we'd never
see any such email. What you do here depends on your mood. As the world
moves to more widespread adoption of technologies that allow us to detect
spoofing, you'll find yourself here less frequently. Callouts, bounces and
autoreplies should encourage people to deploy such technologies. I'd that
we should defend the utility of e-mail by being unembarrassed about
auto-replies and callouts when we can't verify the domain. In time, we
should lose our inhibition about bouncing messages of uncertain origin;
when they fail other spam tests. Perhaps, one day, all legitimate email
will pass spf, dkim or similar tests.


> Tony Finch mentioned at some point toying with BATV but suggested signing
> the domain rather than the local part. It requires more infrastructure,
> such as a trick dns server to host the subdomains which are signed, but
> it could be a way for BATV to be used as an authenticity test without
> leading to the heavy penalties to the domain owner of SCV. I think it
> might have other disadvantages such as a big impact on caching resolvers
> and dns traffic, possibly even decreased reliability. But it seems to me
> that dns scales a lot better than smtp servers, given the number of RBLs
> using it as a mechanism to publish very dynamic data.



--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


david at ols

May 14, 2009, 3:58 AM

Post #10 of 55 (3017 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
Hi

we use callbacks on a similar way, we do not do the callback
if the incoming mail passes spf, dkim is not used to prevent
callbacks because we do callbacks at RCPT time and dkim needs
to reach DATA, we also use whitelisting to prevent callouts too

> --On 14 May 2009 11:20:31 +1000 Richard Salts <exim [at] spectralmud> wrote:
>
>> On Wed, 22 Apr 2009 06:09:13 Bryan Rawlins wrote:
>>> So my question is, and I'm strictly looking for personal opinions here;
>>> Are callout/callback verifications on the envelope sender when that
>>> sender is signed more acceptable than just doing them in general?
>
> If people don't want callback verifications to their sites in response to
> spoofed email, then they should publish information about where their mail
> comes from. There are three cases:
>
> An email verifies with SPF or DKIM or similar - the callback may be
> regarded as pointless, but it should not be unwelcome. Bounces,
> autoreplies, and so on should all be acceptable.
>
> SPF, DKIM or similar tests fail. Don't do the callback, don't accept the
> message. If you do accept the message, make sure that it is not later
> bounced, and that autoreplies aren't sent.
>
> SPF, DKIM, or similar tests are inconclusive. In an ideal world, we'd never
> see any such email. What you do here depends on your mood. As the world
> moves to more widespread adoption of technologies that allow us to detect
> spoofing, you'll find yourself here less frequently. Callouts, bounces and
> autoreplies should encourage people to deploy such technologies. I'd that
> we should defend the utility of e-mail by being unembarrassed about
> auto-replies and callouts when we can't verify the domain. In time, we
> should lose our inhibition about bouncing messages of uncertain origin;
> when they fail other spam tests. Perhaps, one day, all legitimate email
> will pass spf, dkim or similar tests.
>
>
>> Tony Finch mentioned at some point toying with BATV but suggested signing
>> the domain rather than the local part. It requires more infrastructure,
>> such as a trick dns server to host the subdomains which are signed, but
>> it could be a way for BATV to be used as an authenticity test without
>> leading to the heavy penalties to the domain owner of SCV. I think it
>> might have other disadvantages such as a big impact on caching resolvers
>> and dns traffic, possibly even decreased reliability. But it seems to me
>> that dns scales a lot better than smtp servers, given the number of RBLs
>> using it as a mechanism to publish very dynamic data.
>
>
>

--
Salu-2 y hasta pronto ...

----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. telf +34 902 50 29 75
----------------------------------------------------------------



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at lists

May 14, 2009, 4:21 AM

Post #11 of 55 (3024 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
David Saez Padros wrote:

> we use callbacks on a similar way, we do not do the callback
> if the incoming mail passes spf, dkim is not used to prevent
> callbacks because we do callbacks at RCPT time and dkim needs
> to reach DATA, we also use whitelisting to prevent callouts too

Can I ask why you don't do the call backs in DATA then? If I were to use
callbacks, personally I'd want to make sure they were run at the very
end of my spam filtering to reduce the likelyhood of my server being
listed on an RBL for backscatter...

--
Mike Cardwell
(https://secure.grepular.com/) (http://perlcv.com/)

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


david at ols

May 14, 2009, 4:40 AM

Post #12 of 55 (3009 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
Hi

>> we use callbacks on a similar way, we do not do the callback
>> if the incoming mail passes spf, dkim is not used to prevent
>> callbacks because we do callbacks at RCPT time and dkim needs
>> to reach DATA, we also use whitelisting to prevent callouts too
>
> Can I ask why you don't do the call backs in DATA then? If I were to use
> callbacks, personally I'd want to make sure they were run at the very
> end of my spam filtering to reduce the likelyhood of my server being
> listed on an RBL for backscatter...

it takes less resouces to do the callback at rcpt than at the very
end of the spam filtering (but we do callouts at the end of all
rcpt checks). You can reduce the chance to get listed on a RBL by
using spf, whitelists, etc .. (calloouts also have it's own cache)
we have been using callouts since they exist without ever being
blacklisted

--
Best regards ...

----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. telf +34 902 50 29 75
----------------------------------------------------------------



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at lists

May 14, 2009, 4:50 AM

Post #13 of 55 (3007 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
David Saez Padros wrote:

>>> we use callbacks on a similar way, we do not do the callback
>>> if the incoming mail passes spf, dkim is not used to prevent
>>> callbacks because we do callbacks at RCPT time and dkim needs
>>> to reach DATA, we also use whitelisting to prevent callouts too
>> Can I ask why you don't do the call backs in DATA then? If I were to use
>> callbacks, personally I'd want to make sure they were run at the very
>> end of my spam filtering to reduce the likelyhood of my server being
>> listed on an RBL for backscatter...
>
> it takes less resouces to do the callback at rcpt than at the very
> end of the spam filtering

You could argue that using N lumps of somebody elses resources is worse
than using 10xN lumps of your own. Especially if the 10xN is going idle,
which on many systems it is...

> You can reduce the chance to get listed on a RBL by
> using spf, whitelists, etc .. (calloouts also have it's own cache)

True, that is an additional way to reduce the chance further.

> we have been using callouts since they exist without ever being
> blacklisted

You don't want to advertise that fact on mailing lists like this, or
your listing status might get changed.

--
Mike Cardwell
(https://secure.grepular.com/) (http://perlcv.com/)

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


phil at medwayhosting

May 14, 2009, 5:12 AM

Post #14 of 55 (3012 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
----- Original Message -----
From: "Mike Cardwell" <exim-users [at] lists>
To: "Exim Users List" <exim-users [at] exim>
Sent: Thursday, May 14, 2009 12:50 PM
Subject: Re: [exim] Sender callout verification on BATV signed addresses


> > we have been using callouts since they exist without ever being
> > blacklisted
>
> You don't want to advertise that fact on mailing lists like this, or
> your listing status might get changed.

How true. Yesterday, one of my customer's domains was being forged in a spam
run using random LHS. Over 500 servers using callouts got firewalled in that
one.

Callouts are not a good idea. (And before anyone panics - no - I won't get
into a long discussion about it again - just making a point).

All the best

Phil





_____________________________________________

Website Hosting from only £5.00 per month.
www.medwayhosting.com - +44 (0)1634 856965
_____________________________________________

Digital & Traditional Printing, and much more
www.medwayprint.com - +44 (0)1634 281199
_____________________________________________

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


iane at sussex

May 14, 2009, 5:13 AM

Post #15 of 55 (3012 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
--On 14 May 2009 12:50:19 +0100 Mike Cardwell
<exim-users [at] lists> wrote:

> David Saez Padros wrote:
>
>>>> we use callbacks on a similar way, we do not do the callback
>>>> if the incoming mail passes spf, dkim is not used to prevent
>>>> callbacks because we do callbacks at RCPT time and dkim needs
>>>> to reach DATA, we also use whitelisting to prevent callouts too
>>> Can I ask why you don't do the call backs in DATA then? If I were to
>>> use callbacks, personally I'd want to make sure they were run at the
>>> very end of my spam filtering to reduce the likelyhood of my server
>>> being listed on an RBL for backscatter...
>>
>> it takes less resouces to do the callback at rcpt than at the very
>> end of the spam filtering
>
> You could argue that using N lumps of somebody elses resources is worse
> than using 10xN lumps of your own. Especially if the 10xN is going idle,
> which on many systems it is...


You'd not be using any lumps of their resource if they used SPF, and gave
you a fighting chance of recognising when email was coming from their
system.

--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


david at ols

May 14, 2009, 5:15 AM

Post #16 of 55 (3016 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
Hi

>> it takes less resouces to do the callback at rcpt than at the very
>> end of the spam filtering
>
> You could argue that using N lumps of somebody elses resources is worse
> than using 10xN lumps of your own. Especially if the 10xN is going idle,
> which on many systems it is...

we do really very few callouts, zoombies get detected before
reaching the callout check so we almost do not do callouts for
mail comming from non real servers, and for real servers without
spf and that are not whitelist we only do callouts until that
servers gets whitelisted, which is pretty fast if it's a real
server not doing weird things.

In the other hand, checking if a user exists or not should
be quite fast (we don't mind that other do callouts for our
domains, altough we use spf on all of them)

Anyway if you just want to prevent people doing callout for your
domains just publish spf records, it will not hurt.

--
Best regards ...

----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. telf +34 902 50 29 75
----------------------------------------------------------------



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


john.horne at plymouth

May 14, 2009, 5:24 AM

Post #17 of 55 (3015 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
On Thu, 2009-05-14 at 13:40 +0200, David Saez Padros wrote:
> Hi
>
> >> we use callbacks on a similar way, we do not do the callback
> >> if the incoming mail passes spf, dkim is not used to prevent
> >> callbacks because we do callbacks at RCPT time and dkim needs
> >> to reach DATA, we also use whitelisting to prevent callouts too
> >
> > Can I ask why you don't do the call backs in DATA then? If I were to use
> > callbacks, personally I'd want to make sure they were run at the very
> > end of my spam filtering to reduce the likelyhood of my server being
> > listed on an RBL for backscatter...
>
> it takes less resouces to do the callback at rcpt than at the very
> end of the spam filtering (but we do callouts at the end of all
> rcpt checks). You can reduce the chance to get listed on a RBL by
> using spf, whitelists, etc .. (calloouts also have it's own cache)
> we have been using callouts since they exist without ever being
> blacklisted
>
I think you will find that the MX's for ols.es are indeed listed at
backscatterer.org :

Testresult for 78.129.233.52:
This IP IS CURRENTLY LISTED in our Database.

Testresult for 82.98.132.208:
This IP IS CURRENTLY LISTED in our Database.

And have been listed on and off for a while.




John.

--
---------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287
E-mail: John.Horne [at] plymouth Fax: +44 (0)1752 587001

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


david at ols

May 14, 2009, 5:32 AM

Post #18 of 55 (3006 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
Hi

good to see ... anyway being on this blacklist has not
caused us any problem

> On Thu, 2009-05-14 at 13:40 +0200, David Saez Padros wrote:
>> Hi
>>
>>>> we use callbacks on a similar way, we do not do the callback
>>>> if the incoming mail passes spf, dkim is not used to prevent
>>>> callbacks because we do callbacks at RCPT time and dkim needs
>>>> to reach DATA, we also use whitelisting to prevent callouts too
>>> Can I ask why you don't do the call backs in DATA then? If I were to use
>>> callbacks, personally I'd want to make sure they were run at the very
>>> end of my spam filtering to reduce the likelyhood of my server being
>>> listed on an RBL for backscatter...
>> it takes less resouces to do the callback at rcpt than at the very
>> end of the spam filtering (but we do callouts at the end of all
>> rcpt checks). You can reduce the chance to get listed on a RBL by
>> using spf, whitelists, etc .. (calloouts also have it's own cache)
>> we have been using callouts since they exist without ever being
>> blacklisted
>>
> I think you will find that the MX's for ols.es are indeed listed at
> backscatterer.org :
>
> Testresult for 78.129.233.52:
> This IP IS CURRENTLY LISTED in our Database.
>
> Testresult for 82.98.132.208:
> This IP IS CURRENTLY LISTED in our Database.
>
> And have been listed on and off for a while.
>
>
>
>
> John.
>

--
Salu-2 y hasta pronto ...

----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. telf +34 902 50 29 75
----------------------------------------------------------------



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


david at ols

May 14, 2009, 6:48 AM

Post #19 of 55 (3008 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
Hi

> I think you will find that the MX's for ols.es are indeed listed at
> backscatterer.org :
>
> Testresult for 78.129.233.52:
> This IP IS CURRENTLY LISTED in our Database.

just thinking a bit about this: this is the kind of useless rbl
that seems more a revenge of the author against the world than
something useful (*) If you see how ip's are listed in this rbl
you will notice that both bounces and callouts are exclusivelly
done by real servers. So if you use it to reject anything from
those ip's you will mostly reject legitimate mail, if you use this
rbl to reject callouts then mail comming from your server to
the servers listed in this rbl will be rejected (because it will
fail the callout). In the other hand we do callouts with a special
username (not <>) to avoid problems with servers rejecting bounces
so you can use this rbl to reject callouts but you will not catch
our callouts (and many others). The only use of this rbl as a
blacklist is if you are under a ddos attack (*)

If you read the arguments against callout it says that callouts are
a broken technique but that's not true (at most a deficient
implementation of sender callout could be broken) and the problem
he has is not about sender callouts is about people forging his
domain, which he can prevent by publishing spf records. Same for
backscatter, there is nothing in any RFC i have read that says that
bounces are only for local users, in fact what you can read in RFC's
about bounces is that you should accept them (another question is
that is obvious that is much better to reject at smtp time than
generate bounces)

(*) Please notice that as this rbl only lists real email servers
in fact it can be used as a whitelist, which is the most useful
use i can image of it

--
Best regards ...

----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. telf +34 902 50 29 75
----------------------------------------------------------------



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dlugo at etherboy

May 14, 2009, 7:00 AM

Post #20 of 55 (3016 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
On Thu, 14 May 2009, David Saez Padros wrote:
>
> If you read the arguments against callout it says that callouts are
> a broken technique but that's not true (at most a deficient
> implementation of sender callout could be broken) and the problem
> he has is not about sender callouts is about people forging his
> domain, which he can prevent by publishing spf records. Same for

As a datapoint:

I've seen spammers disregard SPF, and send a few hundred K
items/day that are forged.

--
--------------------------------------------------------
Dave Lugo dlugo [at] etherboy LC Unit #260 TINLC
Have you hugged your firewall today? No spam, thanks.
--------------------------------------------------------
Are you the police? . . . . No ma'am, we're sysadmins.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


peter at bowyer

May 14, 2009, 7:03 AM

Post #21 of 55 (3015 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
On 14/05/2009, David Saez Padros <david [at] ols> wrote:
> just thinking a bit about this: this is the kind of useless rbl
> that seems more a revenge of the author against the world than
> something useful

This isn't an appropriate place to discuss the merits of that or any
other DNSBL. The issue of whether callouts are good or evil has been
done to death (the answer is - both), and the operator of
backscatterer.org isn't known for his willingness to listen to
criticism even if he was here.

Can we move on, please?

Thanks

Peter
(co-moderator)


--
Peter Bowyer
Email: peter [at] bowyer
Follow me on Twitter: twitter.com/peeebeee

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


graeme at graemef

May 14, 2009, 7:08 AM

Post #22 of 55 (3018 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
<tag="moderator" hat="on">

Please let's not descend, again, into the callout=evil|perfect debate.

There are several lists, backscatterers.org being the most obvious one,
which will list hosts for carrying out Sender Address Verification. This
has been pointed out many times on this list, and is not an item for
debate - it's a fact.

If list members want to debate the rights and wrongs of a given DNSBL's
listing policy, please take it up with the operator.

</tag>


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


peter at bowyer

May 14, 2009, 7:10 AM

Post #23 of 55 (3012 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
On 14/05/2009, Dave Lugo <dlugo [at] etherboy> wrote:
> On Thu, 14 May 2009, David Saez Padros wrote:
> >
> > If you read the arguments against callout it says that callouts are
> > a broken technique but that's not true (at most a deficient
> > implementation of sender callout could be broken) and the problem
> > he has is not about sender callouts is about people forging his
> > domain, which he can prevent by publishing spf records. Same for
>
> As a datapoint:
>
> I've seen spammers disregard SPF, and send a few hundred K
> items/day that are forged.

SPF doesn't stop someone sending forgeries, it enables a 3rd party to
opt not to receive them, and especially, not to bounce them to the
forged sender.

A smart spammer might inspect the SPF records of a domain he was about
to forge and not forge a domain that is SPF-protected, though. Even
more reason to SPF-protect your domain.

Peter
--
Peter Bowyer
Email: peter [at] bowyer
Follow me on Twitter: twitter.com/peeebeee

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dlugo at etherboy

May 14, 2009, 7:22 AM

Post #24 of 55 (3009 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
On Thu, 14 May 2009, Peter Bowyer wrote:
>
> SPF doesn't stop someone sending forgeries, it enables a 3rd party to
> opt not to receive them, and especially, not to bounce them to the
> forged sender.
>
> A smart spammer might inspect the SPF records of a domain he was about
> to forge and not forge a domain that is SPF-protected, though. Even
> more reason to SPF-protect your domain.
>

Can we skip the discission re how effective SPF is,
it's flaws (perceived or otherwise) and how widely
(or not), it's been adopted?

As the person dealing with the blowback due to the
forgery I mentioned, there was little difference to
me whether it was bounces or sv - all of it was
unwanted.

And that's all I say about the matter, in deference
to the moderators.

--
--------------------------------------------------------
Dave Lugo dlugo [at] etherboy LC Unit #260 TINLC
Have you hugged your firewall today? No spam, thanks.
--------------------------------------------------------
Are you the police? . . . . No ma'am, we're sysadmins.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


peter at bowyer

May 14, 2009, 7:30 AM

Post #25 of 55 (3016 views)
Permalink
Re: Sender callout verification on BATV signed addresses [In reply to]
On 14/05/2009, Dave Lugo <dlugo [at] etherboy> wrote:
> On Thu, 14 May 2009, Peter Bowyer wrote:
> >
> > SPF doesn't stop someone sending forgeries, it enables a 3rd party to
> > opt not to receive them, and especially, not to bounce them to the
> > forged sender.
> >
> > A smart spammer might inspect the SPF records of a domain he was about
> > to forge and not forge a domain that is SPF-protected, though. Even
> > more reason to SPF-protect your domain.
> >
>
> Can we skip the discission re how effective SPF is,
> it's flaws (perceived or otherwise) and how widely
> (or not), it's been adopted?

You may. Feel free not to join in... oh, sorry, too late.

--
Peter Bowyer
Email: peter [at] bowyer
Follow me on Twitter: twitter.com/peeebeee

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

First page Previous page 1 2 3 Next page Last page  View All exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.