On Sun, 6 Mar 2005, Bob wrote:
> Peter J. Holzer wrote:
>
> >This is strictly a syntax check, though - no semantic verification is
> >(can't require spf but MX in dns is fair to require, because otherwise
> >it's an "open relay"), if so, we might check "built-in". This should be
> >left to plugins, IMHO.
That's all I was looking for. But some addresses got through that
were picked up by Valid::Address . However, it seems that most invalid
addresses simply mess up the contents of $sender->host so that I can still
test and get an accurate result.
> I think address checking is impossible.
A limited (but useful) amount of checking can be done locally
(i.e. without using DNSBLs, for example). I never try doing a reverse
connection.
> badhelos are looked for, but only if you have them in a config file.
> Nobody knows if there are no email users in virtual domains with
> websites. ldap directories are not universal. No finger, ident, auth, or
> directory method is universal. If we sent an email to check an address,
> we'd look exactly like a dictionary scan if a spammer had set us up with
> a false From:.
As noted, I was not trying to verify that the sender account
existed, only that it was a legal address.
> Check the MX for the domain in dns to see if the mta now connected is an
> authorized mta for the From: domain. If not, we're done (can't require
> spf but MX in dns is fair to require, because otherwise it's an "open
> relay"), if so, we might check
That's bad news. I worked for a major ISP that used separate
inbound and outbound servers (multiple for each), and only the inbound
were tagged as MX. Many other ISPs do the same thing.
> we might check to see if the mta will accept a connection From: as
> To:(and From: <>?).
This might also be bad news. Many systems that do this ASSUME that
if they get a 5?? error, the (postmaster, for example) account doesn't
exist, but it could be rejecting for other reasons (like nullsender1rcpt
plugin - the declude.com tests fail this one and assume the reason for
it). I know I've been rejected by some mailing lists hosted on sourceforge
because my postmaster address rejected their callback check - the
postmaster account exists and does receive email, so their assumption
means I have to go through a lot of extra hoops because of their
stupidity.
> If the From: mta won't even accept bounces or connect for
> that From: as To:, then we broke a spammer and we're
> done.
Again, you have to be able to differentiate between the various
reasons that the account may not be accepting your connection. If you
can't figure out why and deal with it accordingly, you shouldn't be
doing the test.
> Since I found out rfc-ignorant is blacklisting yahoo for
> failing to notify rfc-ignorant after closing a spammer
> account rfc-ig wanted closed, and not for refusing to
> shut down a spammer(2002), I'd prefer to do my own
> rfc-ignorant check. An address check is not really an
> address check for valid address--it's really a minimal
> mta check for ignorance.
Just make sure that if the check is to find a valid postmaster
account, you don't assume it doesn't exist just because you receive a 5??
error rejection - you may be incorrect.
(Frankly, those checks really don't need to be done at all...)
--
Roger Walker
"HIS Pain - OUR Gain"
