On 9/21/05, Michael Sims <michaels@xxxxxxxxxxxxxx> wrote: > Additionally, some mail servers unconditionally accept mail addressed to ANY > username at their domain, whether that user actually exists or not. This is very > bad practice, because it usually means the accepting MTA is a "dumb" host that has > to forward all incoming mail to an internal mail server which knows which accounts > exist, and if that server ends up rejecting the message, the "dumb" MTA creates a > DSN and sends it back to the envelope sender (which is quite often forged). This > causes the so-called "backscatter" which results in innocent people getting bounces > for messages they didn't send. Nevertheless, lots of mail servers are configured > this way, so you cannot simply assume that an account is real just because you > didn't get a 5xx on RCPT TO. Just as a side note, and I do agree that this behaviour is bad practice in principle, but I imagine they (the MTAs) do this for the same reason that login prompts don't tell you when you enter a bogus username and still prompt for the password and give a generic "access denied" error...it prevents username fishing. Of course, I would think that a better solution would be to do immediate rejection and then block the remote IP after X send attempts with invalid usernames, but maybe there's a compelling reason not to do that and I just haven't thought of it... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
