J B wrote:
On 9/21/05, Michael Sims <michaels@xxxxxxxxxxxxxx> wrote:
Additionally, some mail servers unconditionally accept mail addressed to ANY
username at their domain, whether that user actually exists or not. This is very
bad practice, because it usually means the accepting MTA is a "dumb" host that has
to forward all incoming mail to an internal mail server which knows which accounts
exist, and if that server ends up rejecting the message, the "dumb" MTA creates a
DSN and sends it back to the envelope sender (which is quite often forged). This
causes the so-called "backscatter" which results in innocent people getting bounces
for messages they didn't send. Nevertheless, lots of mail servers are configured
this way, so you cannot simply assume that an account is real just because you
didn't get a 5xx on RCPT TO.
Just as a side note, and I do agree that this behaviour is bad
practice in principle, but I imagine they (the MTAs) do this for the
same reason that login prompts don't tell you when you enter a bogus
username and still prompt for the password and give a generic "access
denied" error...it prevents username fishing.
Of course, I would think that a better solution would be to do
immediate rejection and then block the remote IP after X send attempts
with invalid usernames, but maybe there's a compelling reason not to
do that and I just haven't thought of it...
If someone else on my ISP tries to "username fish" and gets my ISP's
MTA's IP blocked by any other MTA, I'd sure be pissed off about it.
That's probably the reason why they don't block remote IPs after X
invalid username send attempts -- MTAs are often shared by many, many users.
--
Jasper Bryant-Greene
Freelance web developer
http://jasper.bryant-greene.name/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
