Charles Marcus escreveu:
Here's a link informing why indiscriminate use of SAV is bad, and what
it should be used for:
http://www.backscatterer.org/?target=sendercallouts
OK, I've finished reading and analyzing that text. My conclusion is that
there's no reason not to use reject_unverified sender.
In this answer I'm assuming 1) the postfix implementation of SAV and
that any implementation and 2) that MTAs implement the RFCs (so they
have a configuration that matches, for instance, the Book of Postfix).
There are 3 claims in that text:
1) That by disabling VRFY, a sysadmin has decided to disable all kind of
email address verification.
Most people disabled VRFY to prevent spammer tests for email addresses,
nothing else. If you want to disable all tests for email addresses you
accept all email for all email addresses, even non-existing ones and
later discard the invalid ones. That's the only way to do it (and the
reason why some of my clients are using catch-all addresses that they
redirect to /dev/null).
2) That a spammer can create a DDOS using SAV.
You'll get a connection per server to which those were sent (postfix
caches the request, so it will only validate an email adress once).
SAV actually helps reduce the effect of the DDOS attack. In the non-SAV
scenario, you get 30 million bounce messages. In the SAV cenario, each
server does one check per email adress (that costs you less bandwidth
and disk space than a Bounce message) and that single check will avoid
several bounce messages.
3) That SAV might create a loop.
The SAV check in postfix is done with the postmaster address by default.
If the target server does the same check back, then the SAV server
replies that postmaster is valid (assuming it's well-configured and
RFC-compliant).
Have I missed anything?
--
Intraneia
http://www.intraneia.com/
Suporte a Software Livre
Tradução/Localização de software e sítios web
Desenvolvimento de software
Ao seu serviço...
