> FWIW, I rather have the wrong address email address bounce. That and I > don't want to eyeball the catch-all to see if it caught anything useful.
Here's the thing. If you have a catch-all address, and something gets delivered to it ... who looks at it and fishes it out and sends it to the right user? It's a *MASSIVE* privacy issue. If there's an SSN in there, or certain other kinds of protected information (HIPAA? Shouldn't be, but...), even if it's the domain admin, It could be Extremely Bad. > You can fail2ban the password guessers. They'll just keep coming. Fail2ban is a wonderful tool. It doesn't scale if million-node botnets are the ones attacking. Just saying. If you're running a very small system, they'll poke around a bit and move on. If you're running a very LARGE system, they will hammer at you mercilessly. > In a perfect world, I would reject email that fails SPF and DKIM. That's a good thing to do now... or at least greylist it. DKIM validation at the edge (End of Data) is expensive at scale. > I recall noise from Google making this a plan, which that would force > all the servers to clean up their act. They are certainly doing this for all of IPv6, and I think possibly all of IPv4 at this point, but I am not certain. Which reminds me ... :) Aloha mai Nai`a. -- " So this is how Liberty dies ... http://kapu.net/~mjwise/ " To Thunderous Applause.