require verify = sender

[interfasys]

I wonder if it wouldn't be more efficient to have

require verify = sender

right before

# ACCEPT EMAIL BEGINNING HERE

that way, we wouldn't bug other servers with our requests before having performed some checks (blacklists, RBLs, etc.)

I'm also testing this:

drop message = REJECTED - Sender Verify Failed - error code \"$sender_verify_failure\"\n\n\
The return address you are using for this email message <$sender_address>\
does not seem to be a working account.
!verify = sender/callout=2m,defer_ok
condition = ${if eq{recipient}{$sender_verify_failure}}

as an alternative

 

[nobaloney]

In our most recent RC (I haven't looked at any others), we don't do any off-server blocklist checking until after the (optional) test for require verify = sender.

As for your code, have you checked to see if your line:

!verify = sender/callout=2m,defer_ok

actually verifies that the sender is valid, or only that the domain is valid? Also have you checked to see how it handles important emails (such as those you get from your registrar or paypal, among others) who tell you right at the top that they're not sent from a valid mailbox?

That's why we make it optional and don't set it ourselves on our servers.

Jeff

 

[interfasys]

In our most recent RC (I haven't looked at any others), we don't do any off-server blocklist checking until after the (optional) test for require verify = sender.

That's what I meant. Checking the sender means sending a request to the server who is supposedly sending the email and asking if the account exists. If you enable this before using the RBLs, you're bugging a lot of remote servers for nothing and risk being identified as a server performing a dictionary attack if you're, yourself, being attacked.

That's the reason I think this bit of code should be inserted where I said in my previous post.

As for my code, yes, it checks for the specific account indicated as a sender in the message Exim gets.
Messages from Paypal, Amazon, etc. are usually not parsed by this rule if you put it at the end since they will have been whitelisted beforehand.

I think it's good to make it optional, but then it's better if we can make it work well for people that want to enable it, otherwise, if it's that bad, it should simply be removed, no?

 

[nobaloney]

My understanding is that checking foreign servers only checks to make sure the server exists. Are you sure you're checking for the existence of the user? And how does this protect against spammers who use compromised systems and send from one good address to another, neither address theirs?

In my opinion, John Postel got it right.

In case you don't know about him, check the link; he was the first editor of the RFCs and headed IANA until his untimely death.

Jeff

 

[interfasys]

I'll check that post, thank you Jeff.
My understanding of this error in my log is that the user doesn't exist.

16:44:45 H=78.102.dsl.brs.iprimus.net.au [211.26.80.78]:3787 I=[myIP]:25 F=<[email protected]> rejected RCPT <[email protected]>: 
2009-11-30 16:44:46 H=78.102.dsl.brs.iprimus.net.au [211.26.80.78]:3787 I=[69.41.241.138]:25 sender verify fail for <[email protected]>: response to "RCPT TO:<[email protected]>" from cluster2.us.messagelabs.com [216.82.249.211] was: 550 Invalid recipient <[email protected]> (#5.1.1)

This wouldn't protect me from spammers who use valid addresses, but a lot of my spam is sent from random or old addresses. This is just an extra filter.

 

[interfasys]

I used that for a couple of days without rejecting the emails and there are too many false positives with automatic mailers, forums, etc.