On Jul 27, 2009, at 7:18 PM, /dev/rob0 wrote:
On Monday 27 July 2009 05:47:29 Simon Waters wrote:
On Monday 27 July 2009 11:13:34 Martijn de Munnik wrote:
Losing catchall seems to be the best solution but some of my
customers
want to create an emailaddress for every website the register on.
m...@desjors.nl
pay...@desjors.nl
deb...@desjors.nl
They could use the "recipient_delimiter" for this.
$postconf -n | grep recipient_delimiter
recipient_delimiter = +
simon+pay...@example.com
simon+...@example.com
Of course the spammers might figure that one out eventually, but
most fall
into the stupid category. Besides if the spammers figure it out
I'll just
change my email to s+i+m+...@example.com and refuse email to lesser
parts
of the address.
Unfortunately, I have found that many Web programmers don't bother to
read RFC's and find out what characters are allowed in email
addresses.
Many sites will not accept a "+" in your username. I think the old
default qmail delimiter, "-", is a better choice for those just now
switching to recipient_delimiter use. Another good one would be ".".
To name one, I tried to get automobile insurance with GEICO, a large
insurer in the USA. If I had access to my old virtual_alias_maps I
could find many more who rejected the "+".
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
I guess I need prohibit the catch all account and offer the solution
with the delimiter instead. That way all spam to bogus email addresses
get rejected because the address does not exist.
But still I wonder if there is a way to stop the spam attack. The
catchall account did exist for a long time but was under attack only
for a short period (couple of hours). Is there a way to limit the
effect of such attacks? The user normally only receives about 10
messages per hour. So hundreds of messages per hour is a clear sign
that a spam attack is happening.
