A spam quandary

At the moment I make use of Exim’s sender verification callout feature which tries to work out whether the (supposed) sender’s email address given in the HELO is legitimate or not. For this is connects to the remote mail server and tried to do a RCPT TO for that email address. If it can’t find a mail server or gets rebuffed then the email address is rubbish and Exim rejects the mail even before it gets accepted. This cuts down on a huge volume of mail and also stops the "drive by" spamming of innocent third parties that might get an NDR.

The problem with this is that people are idiots. Most often an automated system (typically shopping carts it seems) try to send as apache@domain which is not a valid address on that system, rather than myshop@domain which probably is. Sometimes these systems set the reply-to header in the message, but this isn’t visible in the envelope.

This is causing me an annoyance. On the one hand, if I leave it on, I seem to end up missing semi-important mail (even FON can’t get it right it seems). On the other, if I disable it I end up receiving a deluge of junk mail (ok, I have spam assassin to sort it for me, but it’s still annoying to have to spend money on the bandwidth and storage).

It would be nice if I could start blocking on SURBLs and RHBLs natively with Exim.