We're placing a new mail gateway running MailCleaner in our DMZ, and in its default configuration it will deny invalid recipients based on the Exim RCPT ACL. We get tons of spam sent to nonexistent addresses, and so I've tweaked the Exim conf to drop rather than deny on an invalid recipient, and verified that it it will drop a connection with a 550 error when a RCPT TO is issued with a bad local address part to our domain.
I'm wondering if there's any downside to doing things this way — I'd rather not have a spam sender be able to connect and simply try one bad address after another, and definitely don't want to accept and/or bounce messages for bad addresses. I know tar-pitting is an option, but frankly it seems like a waste of resources to keep the connection open once a bad address is entered. Is there a drawback to just dropping it over tarpit or plain deny that I'm not aware of? Thanks in advance.
Best Answer
That sounds a bit "impolite" to "legitimate" invalid recipient deliveries (old addresses, typos, etc). But that's not the biggest problem, in my opinion.
You're really doing yourself a disservice by dropping those connections -- now, rather than just having the sending MTA (legitimate or otherwise) fire all it's addresses at you in one hit and get a Yay/Nay on each quickly, you're going to have it connect, get a bunch of Yays, then when it gets a Nay it'll have to reconnect, HELO/FROM/etc, go through all the Yays it did last time, get to the next Nay, get dropped... basically, for a recipient list with N failed recipients, you're going to get N+1 connections rather than 1. For a legitimate server, not such a big deal, but for a spammer with a large number of invalid recipients... ugh.
If you think that a spammer will give up if it gets an invalid address, you're in for a big shock. They're the most persistent buggers out there, hammering away incessantly regardless of how many times they get dropped.
Of course, neither dropping or denying will work for spammers who retry on 5xx errors... for them, a tarpit or detect the source IP and 3xx the initial connection are the only options. Or shooting. I prefer shooting.