[EMAIL PROTECTED] wrote:
On Sun, 6 Mar 2005, Bob wrote:
Peter J. Holzer wrote:
Check the MX for the domain in dns to see if the mta now connected is an
authorized mta for the From: domain. If not, we're done (can't require
spf but MX in dns is fair to require, because otherwise it's an "open
relay"), if so, we might check
That's bad news. I worked for a major ISP that used separate
inbound and outbound servers (multiple for each), and only the inbound
were tagged as MX. Many other ISPs do the same thing.
You're right. My ISP doesn't have dns or rdns, which is common and we have to live with it(I'd like rdns but the upstream goes all the way to Broadwing before anybody accepts responsibility, and they're too big to talk to me, and there's no way to squat rdns. My ISP doesn't even have forward dns, no IP assigned to his outgoing, so dnsbl's whois him to sub-net and blacklist him as spam harbor "Broadwing".
we might check to see if the mta will accept a connection From: as
To:(and From: <>?).
This might also be bad news. Many systems that do this ASSUME that if they get a 5?? error, the (postmaster, for example) account doesn't exist, but it could be rejecting for other reasons (like nullsender1rcpt plugin - the declude.com tests fail this one and assume the reason for it). I know I've been rejected by some mailing lists hosted on sourceforge because my postmaster address rejected their callback check - the postmaster account exists and does receive email, so their assumption means I have to go through a lot of extra hoops because of their stupidity.
If the From: mta won't even accept bounces or connect for
that From: as To:, then we broke a spammer and we're
done.
Again, you have to be able to differentiate between the various
reasons that the account may not be accepting your connection. If you
can't figure out why and deal with it accordingly, you shouldn't be
doing the test.
Right. We can see if the mta's are really there and conventionally functional up to a point, assuming that reporting some errors really sounds good compared to spam engines or trojaned pc's.
Since I found out rfc-ignorant is blacklisting yahoo for
failing to notify rfc-ignorant after closing a spammer
account rfc-ig wanted closed, and not for refusing to
shut down a spammer(2002), I'd prefer to do my own
rfc-ignorant check. An address check is not really an
address check for valid address--it's really a minimal
mta check for ignorance.
Just make sure that if the check is to find a valid postmaster account, you don't assume it doesn't exist just because you receive a 5?? error rejection - you may be incorrect.
(Frankly, those checks really don't need to be done at all...)
Trust rfc-ignorant? They ban yahoo. "Kill them all and let God sort them out" isn't letting yahoo or my ISP relay to me.
Move my rfc-ignorant check to spamassassin or meta handler running only the over-the-top dnsbl's rfc-ignorant and spamassassin(handler or spamassassin runs John Wayne and Salem Witch Trials), so blacklisting by those gonzos is only going into a fuzzy score. And what could be better for versatile, fuzzy listing of eclectic rubbish to support fuzzy decision making under a broken standard? Perl and qpsmtpd and open source.
-Bob Dodds
