[122712] in North American Network Operators' Group
Re: Spamhaus...
daemon@ATHENA.MIT.EDU (Daniel Senie)
Sat Feb 20 09:46:59 2010
From: Daniel Senie <dts@senie.com>
In-Reply-To: <f1dedf9c1002192128p7e1759abmd7fbd5e8aae2abf1@mail.gmail.com>
Date: Sat, 20 Feb 2010 09:46:21 -0500
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 20, 2010, at 12:28 AM, Scott Howard wrote:
> On Fri, Feb 19, 2010 at 5:20 PM, William Herrin <bill@herrin.us> =
wrote:
>> On Fri, Feb 19, 2010 at 3:30 PM, Rich Kulawiec <rsk@gsp.org> wrote:
>>> Barracuda's engineers apparently think
>>> that using SPF stops backscatter -- and it most emphatically does =
not.
>>>=20
>>> Reject gooooood, bounce baaaaaaad. [1]
>>=20
>> Whine all you want about backscatter but until you propose a
>> comprehensive solution that's still reasonably compatible with RFC
>> 2821's section 3.7 you're just talking trash.
>=20
> In the case of Barracuda's long history of Backscatter the solution is
> simple, and is implemented by most other mail vendors - it's called
> "Don't accept incoming mail to an invalid recipient".
>=20
> Barracudas used to have no way of doing address validation for
> incoming mail, so they would accept it and then bounce it when the
> next hop (eg, the Exchange server) rejected the recipient address.
> They finally fixed this a few years ago, and can not integrate with
> LDAP (and possibly others) for address validation. Of course, it's
> still down to the admin to implement it...
I don't know when this was that they didn't do validation. As long as =
I've worked with their stuff, the boxes can connect to your mail server =
via SMTP and verify. Many people would put Exchange servers behind the =
Barracuda, and those Exchange servers would say "sure, that's valid" to =
any request for validation, so adding LDAP support helped with Exchange =
server issues (though apparently it's now possible to do verification =
via SMTP if you set up your Exchange right). Point is, it's unclear what =
you complain about was entirely the making of the vendor you are =
complaining about.
The Barracuda boxes will accept mail for domains they know about but =
without validating the email address in the event the target mail server =
is down. And yes, it'd be nice if they instead sent back a 421 and let =
the email queue at the point of origination in such cases. So if a mail =
server is down and comes back up, some emails will likely be present in =
the queues that shouldn't have been accepted.
