Sender Verification and its Callouts

In the constant fight against spam, one of the many useful tools is Sender Verification. You may have seen references to this when poking around in the exim configuration manager. But what is it? What is it for? What problems can it “cause”?

One of the occasional tell-tale signs of spam, is that it is coming from a sender address or domain that does not exist. Why would you send an email without having your own email address? There are several possible reasons, but the most common answer to that question is that either you are a spammer or you have something misconfigured. And if you are a spammer, I probably don’t want your filthy spammy email anyway. So one way I can filter you out right away so I don’t have to see your spammy email messges is to tell my mailserver daemon not to accept any mail from a domain or address that does not exist. This is called Sender Verification.

There are two main parts to Sender Verification. In exim, these are referred to as Sender Verification, and Sender Verification Callouts.

The more basic of the two is Sender Verification. This is why Sender Verification must be turned on before you can enable the Callouts. Sender Verification just checks if the domain exists. So, for example, if I get an email from an address called “iamlegitiswear@totallynotaspammer.com”, the mailserver will check if the domain “totallynotaspammer.com” exists. Currently, at the time of this writing, that domain does not resolve:

===
[skaryzgik@localhost ~]$ dig any totallynotaspammer.com +short @8.8.8.8 | wc -l
0
===

So my mailserver sees the domain not resolving and figures “uh-oh, this looks bad!” and rejects the mail. And I don’t have to see the spammy spammy message, and exim tells off the sending server. By which I mean, it returns an informative error so that the server admin can see that something weird is going on and they should check their security settings.

Sender Verification Callouts can help stop the receiving of spam in other cases, where the domain itself exists and resolves just fine, but the actual address does not. The way Sender Verification Callouts accomplish this, is that they send a test email to the sender’s address. If the test email works, then the sender address must work, and this particular check will not block the mail. If the test email does not work, the callout fails, and exim decides the sender address does not exist and rejects the message.

Yay! I have less spam running through my server! But wait, there’s more!

Sometimes, Sender Verification or Sender Verification Callouts can appear to cause legitimate mail to not work. For example, here is a problem I see occasionally. The complaint is usually along the lines of “Halp! My php script can’t send mail!”. There are many cases in which a php script would want to send mail, for example if it is a well-protected forum registration page which is resistant to forum spammers. You may want your forum to send each new registrant an introductory email with useful informative links and a few of the basic rules and terms. But the mails don’t get sent and you see errors about addresses not existing but you know very well the recipient exists because you just sent an email there.

Yeah, customers like to panic. Anyway, the sender verification, especially when it’s doing the callouts, if it can’t find the sender, will refer to them as a recipient, because they are a recipient – of the test mail.

So then you might be thinking, “okay, so the server thinks cpaneluser@host.domain.tld doesn’t exist. How is that better? It obviously exists! It’s my main cpanel email user?”

The weird thing about hostnames is lots of people don’t bother to make sure they resolve. They don’t realize they’re used for anything. Similarly with nameservers, but that causes other, sooner-noticed, problems. Make sure the hostname has an A record. WHM has a special page for it so you don’t even have to edit the dns zone yourself.

Of course, you still have to make sure the domain the hostname is under hasn’t expired.

Happy spam hunting!

EDIT: It has been pointed out to me that with these recommendations, you still wouldn’t be able to receive mail from many noreply@ messages, since they do not usually accept mail. I have added finding a suitable solution to my shiny-new to-do list.

Leave a Reply

Your email address will not be published. Required fields are marked *

makalu-septuor