OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: reject_unknown_sender_domain - still relevant?
From: Jim Seymour (jseymourjimsun.LinxNet.com)
Date: Sun Feb 06 2000 - 12:47:02 CST

In message <20000206212029.A6527tirad.internal.iphil.net>,
dated Sun, 6 Feb 2000 21:20:29 +0800,
"Miguel A.L. Paraz" <mapiphil.net> wrote regarding the subject
"reject_unknown_sender_domain - still relevant?":
>
> Hi all,
>
> I note that the vast majority of "Domain not found:" messages due to
> 'reject_unknown_sender_domain' are from misconfigured sender mail systems, or
> misspellings in user MTA's.

Then, IMO, they should fix them. I see no particularly good reason
to cripple my MTA for the purpose of encouraging their incompetence.

>
> Plus, spammers seem to be stealing EXISTING domains anyway (including ours =( )
> for their fake From's.

<shrug> It's still *valid* tho, right?

>
> Therefore, would you agree that this is no longer useful,

Most definitely not.

> except when used
> against systems relaying through you?

Nobody relays through my corporate system. I run Postfix :-).

> I think it would be good to check
> the sender domains on your clients to protect the mail from being refused
> by strict destination MTAs.

Eh? You don't *really* expect lusers to do this, do you?

>
> Thanks for your opinions,

You're welcome. I apologize if my comments seem a bit harsh. But I've
become rather fed up with spammers and incompetent "admins." I'm not
out to make their lives any easier. What I *am* out to do is protect
my domain from them. And to run mine professionally.

Since I installed Postfix on my firewall (as our e-mail gateway to the
outside world) I have reduced spam by at least an order-of-magnitude.
(And that's a conservative estimate based on my own incoming.) One of
the rules I have in there is indeed "reject_unknown_sender_domain." It,
along with the other checks I have in there, are doing what they were
intended to do. I would note that I have indeed had some legitimate
e-mail rejected. I first talk to the sender to try to get them to fix
their broken or open-relay MTA. Failing that, and if it's a customer
or important vendor, I use sender and/or client checks to "pre-approve"
them. (I do not do this, btw, for "unknowns.") Corporate management
backs me on these policies. In fact: they're looking forward to the
days when I propagate these policies and protections to the remainder
of the corporate divisions. I have a very clueful IT director :-).

Note that mine is a corporate e-mail gateway. I imagine an ISP would
have to be significantly less restrictive than this. Tho I wish I
could find an ISP running Postfix that had implemented a set of rules
similar to what I have at work.

Regards,
Jim 

-- 
Jim Seymour                  | PGP Public Key available at:
jseymourjimsun.LinxNet.com  | http://www.cam.ac.uk.pgp.net/pgpnet/wwwkeys.html
http://home.msen.com/~jimsun | http://www.trustcenter.de/cgi-bin/SearchCert.cgi