Rich Kulawiec wrote:
On Thu, Aug 12, 2010 at 12:58:51PM -0400, Hector Santos wrote:
In our implementation, we use CBV (Callback Verification) and this
This should never be used; it enables spammers to bypass security
measures, it facilitates DoS/DDoS attacks, and it's easily gamed.
We've known this for most of a decade; figured it out when we watched
Verizon deploy it and promptly get used to target third parties.
See the archives of spam-l for copious discussion and analysis.
-1.
The valid return path is a SMTP requirement and it MUST be valid at
the time it is issued by the sender. Testing it is a VALID option to
perform for the simple reason ERROR REPORTING is a required
possibility. It must not be invalid.
Implemented a CBV correctly, its works extremely well. Ours has a
unique OPEN RELAY test which tries a 2nd bad RCPT TO with a bad remote
domain. If the host accepts it, its a CBV failure and the original
transaction is rejected.
Just today our small support site had over 500 CBV rejections of bad
return paths - that is 500 possible errant Bounces that did not have
to be perform.
None of our customer installations have seen DoS/DDoS due to this
which is an separate issue dealt with connection and session balancing
and limits. I don't see how it allows spammers to bypass security
measures. It can however, make them more compliant - a valid return
path is a SMTP requirement, not a MAYBE, not a COULD be valid later or
tomorrow - but at the time it is provided. Not doing so puts pressure
on the system, which is something we try to alleviate by filtering
SMTP non-compliant clients.
--
Sincerely
Hector Santos
http://www.santronics.com