On Fri, 18 Jun 2004, Jon Fiedler wrote: > >In my opinion, any spam filter that silently drops e-mail is broken, and > >is indeed a security risk. A spam filter MUST respond with a 500 SMTP > >failure code if it rejects a message. > This ignores client side spam filters, Client-side spam filters that silently drop e-mail are broken. They should generate a non-delivery notification. Of course, that leads to all kinds of other nasty problems, so I've concluded that client-side spam filters in general are broken, and the only proper way to do it is on the server, and only by failing the SMTP transaction. > and doesn't really change the > attack. The 500 message would be sent back to A, but not B, so B is > still in the dark about C not receiving the emails. No; B would get the failure message, because B is the envelope sender. Regards, David.
