dts at senie.com
Sat Feb 20 14:46:21 UTC 2010
On Feb 20, 2010, at 12:28 AM, Scott Howard wrote:
> On Fri, Feb 19, 2010 at 5:20 PM, William Herrin <bill at herrin.us> wrote:
>> On Fri, Feb 19, 2010 at 3:30 PM, Rich Kulawiec <rsk at gsp.org> wrote:
>>> Barracuda's engineers apparently think
>>> that using SPF stops backscatter -- and it most emphatically does not.
>>> Reject gooooood, bounce baaaaaaad. 
>> Whine all you want about backscatter but until you propose a
>> comprehensive solution that's still reasonably compatible with RFC
>> 2821's section 3.7 you're just talking trash.
> In the case of Barracuda's long history of Backscatter the solution is
> simple, and is implemented by most other mail vendors - it's called
> "Don't accept incoming mail to an invalid recipient".
> Barracudas used to have no way of doing address validation for
> incoming mail, so they would accept it and then bounce it when the
> next hop (eg, the Exchange server) rejected the recipient address.
> They finally fixed this a few years ago, and can not integrate with
> LDAP (and possibly others) for address validation. Of course, it's
> still down to the admin to implement it...
I don't know when this was that they didn't do validation. As long as I've worked with their stuff, the boxes can connect to your mail server via SMTP and verify. Many people would put Exchange servers behind the Barracuda, and those Exchange servers would say "sure, that's valid" to any request for validation, so adding LDAP support helped with Exchange server issues (though apparently it's now possible to do verification via SMTP if you set up your Exchange right). Point is, it's unclear what you complain about was entirely the making of the vendor you are complaining about.
The Barracuda boxes will accept mail for domains they know about but without validating the email address in the event the target mail server is down. And yes, it'd be nice if they instead sent back a 421 and let the email queue at the point of origination in such cases. So if a mail server is down and comes back up, some emails will likely be present in the queues that shouldn't have been accepted.
More information about the NANOG