Re: db.debian.org (and related infrastructure) updates
Marco d'Itri wrote:
For a start that sites performing sender verification will partecipate
in a DDoS on the mail infrastructure of domains forged by spammers.
As we have started to collect stats, out of 1K connections, there are
from 30 to 50 connections that look like sender verify. This is quite
low right now but it could be harmful on big domains if more people use it.
There are two things I really dislike in sender verification. First, you
are using someone else ressources to fight spam. Second, spammers may
adapt in an annoying way (either they will use domains who always answer
a 2xx to rcpt to, or they will use verified emails).
Also, sender verification when seen from the side of the victims is
indistinguishable from a dictionary attack, and may cause deliverability
issues to the hosts attempting it.
I confirm it : we already have blacklisted IPs as they were issuing too
many rcpt-to on not existing emails. These were dued to sender