On Thu, Dec 05, 2013 at 12:23:50AM +0530, Nilesh Govindrajan wrote:
> > > What am I missing?
> >
> > Don't let your PHP applications send mail to arbitrary addresses
> > unless they are restricted to authenticated trusted users. If the
> > latter, make sure you have valid sender addresses recorded for each
> > such user, and use these rather than webform input as the sender
> > address. If a submitted message from a trusted user bounces, the
> > right user receives the bounce.
> >
> > If some of your users are spammers, solve that problem, just
> > filtering out messages to invalid recipients is not the right
> > answer.
>
> I have sufficient spam and virus protection using amavisd. That's
> not the issue. Some applications keep trying to send mail to
> addresses which keep failing and it fills the queue. Plus gets
> the server IP a bad name because of frequent failure.
Why are the applications doing this? Sending recipient verification
probes may also be detrimental to your server's reputation.
> And as a hosting service provider I can't control each and every aspect.
> So chose this method.
You're hosting PHP applications for clients that send mail? And
the ones that repeatedly send email to invalid addresses are not
spamming?
You're solving the problem at the wrong layer. Route all mail from
the local submission MSA via an intermediate MTA that performs
content analysis for spam and log analysis for repeated bounces.
Disconnect customers that violate sender best practices or your AUP.
Is hosting PHP apps that send bulk email worth the trouble? I
would severely rate limit mail submission from each client's hosted
site sent to any address outside a small white-list they can change
at most once a week intended to allow unlimited mail to the website
owner. Users who want to send bulk email can work with a legitimate
bulk email provider.
--
Viktor.
