FAQ
Folks,

I'm curious to know -- Postfix has this address verification
feature, which is kind of like greylisting. Basically, before a
message from a given envelope sender will be accepted, the system has
to get a confirmation that the registered MXes for that envelope
sender domain will at least appear to accept messages for that sender.

What this means is that spammers would have to set up a server
(or have a server set up) that would at least pretend to accept
connections and messages for that domain, and that could be a huge
drain on their resources. If there is one thing that spammers don't
want to do, it's deal with their bounces. Postfix AVE is a way to
force them to commit some resources to at least pretend to deal with
the problem, which may be more than they are willing/able to do.


But I'm hesitant to actually try this out, even in a testing
mode. Before I look any deeper into this concept, has anyone
actually used it? Have you used it on a large system? Did you
notice any particular problem issues? Do you have any advice for
someone who might be contemplating going down this road?

--
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755

LOPSA member since December 2005. See <http://www.lopsa.org/>.

Search Discussions

  • Christopher X. Candreva at May 7, 2006 at 5:49 pm

    On Sun, 7 May 2006, Brad Knowles wrote:

    I'm curious to know -- Postfix has this address verification
    feature, which is kind of like greylisting. Basically, before a
    message from a given envelope sender will be accepted, the system has
    to get a confirmation that the registered MXes for that envelope
    sender domain will at least appear to accept messages for that sender.

    This does not scale. Please do not turn this on.

    If everyone did this, it would mean when someone forges my domain into a
    spam run, my servers will be hammered by all these requests to verify this
    bogus mail.


    ==========================================================
    Chris Candreva -- chris at westnet.com -- (914) 967-7816
    WestNet Internet Services of Westchester
    http://www.westnet.com/
  • Brad Knowles at May 7, 2006 at 6:33 pm

    At 1:49 PM -0400 2006-05-07, Christopher X. Candreva wrote:

    This does not scale. Please do not turn this on.

    If everyone did this, it would mean when someone forges my domain into a
    spam run, my servers will be hammered by all these requests to verify this
    bogus mail.
    Postfix AVE has some intelligence built-in. Information about
    verification failures and successes is cached, and I think the
    positive and negative caching periods are separately configurable
    (with reasonable defaults).

    So, if someone forges your domain on a spam run, you'll get a lot
    of sites around the world who contact your server once per day (or
    once per hour, or however they're configured), and that's it.


    This is a much more scalable solution than might appear at first blush.

    --
    Brad Knowles, <brad at stop.mail-abuse.org>

    "Those who would give up essential Liberty, to purchase a little
    temporary Safety, deserve neither Liberty nor Safety."

    -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
    Assembly to the Governor, November 11, 1755

    LOPSA member since December 2005. See <http://www.lopsa.org/>.
  • Brad Knowles at May 7, 2006 at 6:50 pm

    At 1:49 PM -0400 2006-05-07, Christopher X. Candreva wrote:

    If everyone did this, it would mean when someone forges my domain into a
    spam run, my servers will be hammered by all these requests to verify this
    bogus mail.
    For anyone who wants to read more about this feature of Postfix,
    please see <http://www.postfix.org/ADDRESS_VERIFICATION_README.html>.

    --
    Brad Knowles, <brad at stop.mail-abuse.org>

    "Those who would give up essential Liberty, to purchase a little
    temporary Safety, deserve neither Liberty nor Safety."

    -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
    Assembly to the Governor, November 11, 1755

    LOPSA member since December 2005. See <http://www.lopsa.org/>.
  • John W. Baxter at May 7, 2006 at 7:28 pm

    On 5/7/06 10:46 AM, "Brad Knowles" wrote:

    I'm curious to know -- Postfix has this address verification
    feature, which is kind of like greylisting. Basically, before a
    message from a given envelope sender will be accepted, the system has
    to get a confirmation that the registered MXes for that envelope
    sender domain will at least appear to accept messages for that sender.
    It's not really like greylisting, although it can stop mail from a
    similar--not the same--collection of servers.

    Exim has a similar feature, which some Exim admins use and others believe is
    bad citizenship. (As with Brad's comments, Exim also caches results.)

    Of the Exim admins who use the feature and to whom I listen the most, the
    feeling seems to be that this test (a) needs to be done selectively, as some
    servers respond oddly or uselessly (eg Yahoo), and (b) should be done after
    other protections have not stopped a sender. We don't presently use the
    Exim feature.

    Part of selectivity is to ensure that you don't get into a callout loop with
    some sender (part of which is deferring callouts where the MAIL FROM command
    is
    MAIL FROM:<>
    until after the DATA command (which the other server's callout should never
    send).

    Another useful defense can be to delay sending out the initial banner for a
    few seconds and/or delay sending the response to EHLO or HELO for a few
    seconds. Many of the spam engines just press on with the EHLO/HELO in the
    first case or the MAIL FROM: in the second case, and the receiving server
    can then reject the protocol violation (I don't know whether Postfix can do
    that). This is another case where selectivity is a good idea--there is no
    point in slowing things down when known white hats are sending you mail (and
    the delays do eat your resources--open TCP connections).

    --John
  • Brad Knowles at May 7, 2006 at 8:36 pm

    At 12:28 PM -0700 2006-05-07, John W. Baxter wrote:

    Of the Exim admins who use the feature and to whom I listen the most, the
    feeling seems to be that this test (a) needs to be done selectively, as some
    servers respond oddly or uselessly (eg Yahoo), and (b) should be done after
    other protections have not stopped a sender. We don't presently use the
    Exim feature.
    I am currently testing this feature with "warn_if_reject", so
    it's not actually rejecting any connections or messages that fail
    verification, but it is doing all the other parts of the process.
    And I do have it pushed all the way to the bottom of the stack of
    things that are checked before a message is accepted -- after
    white/black listing (both DNS-based lists and locally maintained),
    after greylisting, after checking reverse DNS or confirming that the
    HELO/EHLO command is given in a legal format, etc....
    Another useful defense can be to delay sending out the initial banner for a
    few seconds and/or delay sending the response to EHLO or HELO for a few
    seconds. Many of the spam engines just press on with the EHLO/HELO in the
    first case or the MAIL FROM: in the second case, and the receiving server
    can then reject the protocol violation (I don't know whether Postfix can do
    that).
    Postfix does have a method of detecting and rejecting
    unauthorized pipelining, and that feature is also turned on.

    --
    Brad Knowles, <brad at stop.mail-abuse.org>

    "Those who would give up essential Liberty, to purchase a little
    temporary Safety, deserve neither Liberty nor Safety."

    -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
    Assembly to the Governor, November 11, 1755

    LOPSA member since December 2005. See <http://www.lopsa.org/>.
  • Harold Paulson at May 8, 2006 at 5:44 pm
    Brad,
    On May 7, 2006, at 10:46 AM, Brad Knowles wrote:

    Folks,

    I'm curious to know -- Postfix has this address verification
    feature, which is kind of like greylisting. Basically, before a
    message from a given envelope sender will be accepted, the system has
    to get a confirmation that the registered MXes for that envelope
    sender domain will at least appear to accept messages for that sender.
    I use SAV on a smallish server, with a map so it's only invoked for
    oft-spoofed domains (aol, hotmail, etc) with compliant mail servers. I
    don't want it to end up dueling with someone else's greylister. It's
    near the end of my check list and really doesn't get much use.

    - H

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedMay 7, '06 at 5:46p
activeMay 8, '06 at 5:44p
posts7
users4
websitelist.org

People

Translate

site design / logo © 2022 Grokbase