nanog mailing list archives

Re: Spamhaus...

From: Daniel Senie <dts () senie com>
Date: Sat, 20 Feb 2010 09:46:21 -0500


On Feb 20, 2010, at 12:28 AM, Scott Howard wrote:

On Fri, Feb 19, 2010 at 5:20 PM, William Herrin <bill () herrin us> wrote:

On Fri, Feb 19, 2010 at 3:30 PM, Rich Kulawiec <rsk () gsp org> wrote:

Barracuda's engineers apparently think
that using SPF stops backscatter -- and it most emphatically does not.

Reject gooooood, bounce baaaaaaad. [1]


Whine all you want about backscatter but until you propose a
comprehensive solution that's still reasonably compatible with RFC
2821's section 3.7 you're just talking trash.


In the case of Barracuda's long history of Backscatter the solution is
simple, and is implemented by most other mail vendors - it's called
"Don't accept incoming mail to an invalid recipient".

Barracudas used to have no way of doing address validation for
incoming mail, so they would accept it and then bounce it when the
next hop (eg, the Exchange server) rejected the recipient address.
They finally fixed this a few years ago, and can not integrate with
LDAP (and possibly others) for address validation. Of course, it's
still down to the admin to implement it...


I don't know when this was that they didn't do validation. As long as I've worked with their stuff, the boxes can 
connect to your mail server via SMTP and verify. Many people would put Exchange servers behind the Barracuda, and those 
Exchange servers would say "sure, that's valid" to any request for validation, so adding LDAP support helped with 
Exchange server issues (though apparently it's now possible to do verification via SMTP if you set up your Exchange 
right). Point is, it's unclear what you complain about was entirely the making of the vendor you are complaining about.

The Barracuda boxes will accept mail for domains they know about but without validating the email address in the event 
the target mail server is down. And yes, it'd be nice if they instead sent back a 421 and let the email queue at the 
point of origination in such cases. So if a mail server is down and comes back up, some emails will likely be present 
in the queues that shouldn't have been accepted.

Current thread:

Re: Spamhaus..., (continued)
- - - Re: Spamhaus... Rich Kulawiec (Feb 19)
    - Re: Spamhaus... William Herrin (Feb 19)
    - Re: Spamhaus... Larry Sheldon (Feb 19)
    - Re: Spamhaus... William Herrin (Feb 19)
    - Re: Spamhaus... Randy Bush (Feb 19)
    - Re: Spamhaus... William Herrin (Feb 19)
    - Re: Spamhaus... Scott Howard (Feb 19)
    - Re: Spamhaus... Scott Howard (Feb 19)
    - RE: Spamhaus... Frank Bulk (Feb 20)
    - Re: Spamhaus... John Peach (Feb 20)
    - Re: Spamhaus... Daniel Senie (Feb 20)
    - Re: Spamhaus... Valdis . Kletnieks (Feb 20)
    - Re: Spamhaus... Michelle Sullivan (Feb 20)
    - Re: Spamhaus... Rich Kulawiec (Feb 20)
    - Re: Spamhaus... Daniel Senie (Feb 20)
    - Re: Spamhaus... Valdis . Kletnieks (Feb 20)
    - Mail Best Practices and Documentation (was Re: Spamhaus...) Larry Sheldon (Feb 20)
    - Re: Spamhaus... William Herrin (Feb 20)
    - Re: Spamhaus... Larry Sheldon (Feb 20)
    - Re: Spamhaus... Michael Dillon (Feb 20)
    - Re: Spamhaus... Larry Sheldon (Feb 20)

(Thread continues...)