Comments for Robert Millan's blog

Comment on fake DSNs by robertmh

robertmh — Thu, 29 Oct 2009 21:33:17 +0000

Too late, I already found that out on my own. Needless to say, I stopped using it as it was making me reject mail from mx10.gnu.org!!

But thanks for the warning.

Comment on fake DSNs by gnufan

gnufan — Wed, 28 Oct 2009 02:44:50 +0000

Read this, even if you don’t use Postfix:
http://www.postfix.org/BACKSCATTER_README.html

In particular:
Blocking backscatter mail with forged mail server information

Comment on fake DSNs by Anonymous

Anonymous — Tue, 27 Oct 2009 03:57:02 +0000

The sites I know of that use sender callouts do so very carefully. For instance, they do greylisting *first*, and only do the sender callout later after the greylist passes; thus, illegitimate mail servers won’t trigger the callout in the first place. They also only do a callout *once* for a given address (much like greylisting, pass or fail gets remembered), and they delay a random amount for callouts. IIRC they take a few other measures I’ve forgotten about as well.

I can certainly understand that badly done server callouts can cause problems. That doesn’t make the technique inherently bad.

Comment on fake DSNs by James Knight

James Knight — Mon, 26 Oct 2009 22:14:24 +0000

Sender callouts are most emphatically *NOT* good, though. Consider the effect on my mailserver when all 100000 sites on the internet that someone has sent spam to (with my server faked as the sender) attempt to connect to me to verify the account exists. It’s just about as bad as if they were sending DSNs!

And sometimes it’s worse, because some mailservers seem to keep the connection open for a while…I guess just in case they need to send more callouts or something.

This isn’t a theoretical concern: Just last week I had this happen and had to reconfigure my server to allow 500 (vs 20) exim processes, and decrease the idle disconnect delay to 30s.

And, sorry to say, before last week I also though sender callouts were a good idea. (sorry to everyone’s mailservers I unthinkingly helped DOS) :(

Comment on fake DSNs by Anonymous

Anonymous — Mon, 26 Oct 2009 22:01:57 +0000

Oh, and for a more specific higher-profile example, Sourceforge does sender callouts.

Comment on fake DSNs by Anonymous

Anonymous — Mon, 26 Oct 2009 21:58:32 +0000

Sure enough, I just checked, and one of the mail servers I deal with regularly has a listing there, presumably for using sender callouts (since I know it doesn’t do backscatter).

Comment on fake DSNs by Anonymous

Anonymous — Mon, 26 Oct 2009 21:54:01 +0000

Please don’t use this blacklist; it blacklists backscatterers (good) but also blacklists servers that use sender callouts (not good). I know several legitimate mail servers that use sender callouts.

Comment on fake DSNs by robertmh

robertmh — Mon, 26 Oct 2009 21:02:03 +0000

Awesome. I need to look into this when I have time…

Comment on fake DSNs by robertmh

robertmh — Mon, 26 Oct 2009 21:00:10 +0000

Very nice, even with Exim recipe! I just enabled it, let’s see how it performs…

Thank you!

Comment on fake DSNs by Simon

Simon — Mon, 26 Oct 2009 16:36:06 +0000

You might be looking for http://www.backscatterer.org/ .