Re: Any objections to rejecting email based on sender callout check?

[Bob Proulx]

Ian Kelling wrote:
> Any objections to rejecting email based on sender callout check?

Okay with me to enable Exim callout verification.

> We've been doing sender callout checks, but failure only caused a 20
> minute delay through greylisting.

The greylisting upon failed VRFY seems reasonable.

For a long time it was standard security policy to disable VRFY and
EXPN commands.  But RFC 821 and later versions all seem to require it
as far as I know.  But people used to disable those commands
regardless.  Because otherwise it was possible to extract valid
addresses from sites and then spam them.

On my system I leave VRFY at the default enabled setting.  I think
most probably do leave it the default enabled these days.  Probably
mostly due to Exim callout verification probes.

> JohnS suspects we were rejecting based on this in the past and
> there's a whitelist in our exim config for some people who had bad
> email servers.

I don't have any direct memory of it but it would not surprise me if
it were enabled for hard rejection in the past.  People get desparate
when trying to block either spam or DDOS and then need to take
sometimes drastic actions to mitigate it.  Having it trigger a
greylisting seems like the safe course of action.

Can you tell if other sites are often getting greylisted and then
having mail accepted on the next try?  Those would be the sites that
are now getting accepted but would then be getting rejected.

Or the opposite of where mail was greylisted but they never returned
to try again and were a likely spammer?  Those would be ones that were
not accepted before and would have no change to them if the temporary
rejection becomes a permanent rejection.  I would be curious to know
how effective this is as an anti-spam technique.

Bob