> From: Keith Moore <moore@cs.utk.edu> > > That might be why spammers don't use EXPN/VRFY but instead use Rcpt_To > > to verify addresses in their lists. If you watch an SMTP server that > > gets much spam, you'll see a lot of SMTP transactions aborted after > > Rcpt_To, even when the server answered with a 200-series status value. > > there's no way to know whether the verification is being done by a > spammer or for legitimate purposes. That may true in general, if you can figure out a legitimate purpose for the hack. I can't think of one that is not marginally abusive, including your autoresponder. It is marginally abusive because it wastes the resourses of innnocents. It is clearly false in about half the cases I see in my logs. For example, when I see a such an RCPT from well known spammers or followed few minutes or hours later by spam from the same SMTP client, you know what was going on. I'm not sure what is going on in the many cases I see where such a probe happens a few minutes after spam from the same SMTP client that is clearly the spammer. > > I don't know which of various other mechanisms Keith Moore meant, but > > I doubt he meant EXPN/VRFY requests or Rcpt_to, because all three > > are wrecked by common uses of MX secondaries. > > no I meant RCPT. a 2xx response doesn't guarantee that the address > is valid, but a 5xx response is a reasonable assurance that the address > won't be able to receive mail. > > > Note that "[verifying] whether or not the sender actually exists as > > a user on the mail server for the domain the e-mail is coming from" > > as stated does not make a lot of sense in the real world. > > in many (not all) cases it's fairly safe to assume that a message from > an unreplyable address is not of interest to a recipient. for instance, > I use this to filter traffic that is sent to a mail robot autoresponder, > because there's no point in having the robot process a message and > generate a response if the reply is going to bounce anyway. That's distinctly different from the other person's purpose. Knowing that an address is invalid is distinct from knowing that it is valid. In other words, how often do you figure you see a 2xx response to a RCPT command for an invalid address? My guess is at least 50% of invalid addresses will yield 2xx responses. Vernon Schryver vjs@rhyolite.com