<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: People forging their From: addresses



On Sat, 3 Oct 1998, Piet Beertema wrote:

> 
>     > It shouldn't be too hard to have an MTA distinguish between a
>     > DNS server failure (SERVFAIL) or an authoritative NXDOMAIN answer.
>     > SERVFAIL resulting in a 4xx error, NXDOMAIN in a 5xx.
>     
>     That's exactly what I did, but I still ended up bouncing perfectly
>     valid mail. Dunno why... beats me. Might be mangling of UDP packets
>     on hosts that don't verify/send UDP checksums (like standard sunos
>     4.x machines)
>     
> I wouldn't go into that sort of details anyway: I'd assume
> that *anything* can go wrong with DNS, resulting in unwanted
> bouncing of mail from existing domains if you use 5xx.
> So either stay on the safe side and give 4xx, or take the
> hard approach and the risk and give 5xx.
> 

4xx is better for 2 reason's. It gives legal mail a second chance
and if someone of your customers have set your host as a 2'nd MX 
senders to that domain won't get 5xx error mail's if you don't allow
2'nd MX to your hosts. ( we don't anymore )

And.... If you have enough cpu/bandwidth it's actually
almost entertaining to look on the log files when you block SPAM
mail. The sending host will have to take care of the SPAM mail
and it's up to them to enforce a no relay policy.

/Uffe





<<< Chronological >>> Author    Subject <<< Threads >>>