Anti-spam measures

>   From owner-lir-wg at ripe.net Mon Jan 12 09:27:45 1998
>   From: Sami Koskinen <tossu at katiska.clinet.fi>

>   On Fri, 9 Jan 1998, Poul-Henning Kamp wrote:
>   
>   > 
>   > One of the best things to do, would probably be to make a simple turnkey
>   > kind of sendmail config available to people.
>   
>   	What I think as the best solution is to patch sendmail
>   	to check from the name service if we really are in the
>   	mx list for the incoming mail. This would eliminate
>   	the need to store the same information to some other
>   	place, as we already have the information stored in
>   	the name service.

The idea is good indeed. I am, however, somewhat concerned about
the following potential dangers:

1. The DNS can contain bogus info (including MX records).

2. You could be a victim of a malicious setup. For example, the primary
of foo.domain puts an MX to one of your hosts protected in the way you
suggest. When the secondaries have updated the zone, you get a large
number of spam destined for foo.domain. Your resources may be abused,
and you can even suffer a DoS. (At the same time, foo.domain may even
filter out SMTP connections from you, to make sure *his* resources are
not wasted...).

To summarize, I feel it would be very good to use the info in the DNS,
(in order to avoid redundancy in configuration and possible 
misconfigurations), however the DNS data may not be trustworthy, especially
for the zones you are not authoritative for. One should balance between
the advantages the suggested patch would bring and the dangers it
exposes the user to... I personally would feel more confortable to explicitely
allow myself the domains I want to relay, in spite of the extra work and
possible misconfiguration.

Just my 0.02$.

Janos