J B wrote: > On 9/21/05, Michael Sims <michaels@xxxxxxxxxxxxxx> wrote: >> Additionally, some mail servers unconditionally accept mail >> addressed to ANY username at their domain, whether that user >> actually exists or not. This is very bad practice, because it >> usually means the accepting MTA is a "dumb" host that has to forward >> all incoming mail to an internal mail server which knows which >> accounts exist, and if that server ends up rejecting the message, >> the "dumb" MTA creates a DSN and sends it back to the envelope >> sender (which is quite often forged). This causes the so-called >> "backscatter" which results in innocent people getting bounces for >> messages they didn't send. Nevertheless, lots of mail servers are >> configured this way, so you cannot simply assume that an account is >> real just because you didn't get a 5xx on RCPT TO. > > Just as a side note, and I do agree that this behaviour is bad > practice in principle, but I imagine they (the MTAs) do this for the > same reason that login prompts don't tell you when you enter a bogus > username and still prompt for the password and give a generic "access > denied" error...it prevents username fishing. There probably are a few people who accept mail to any address at their domain to foil dictionary attacks, but IMHO the vast majority of servers that are set up this way are due to mail admins who just don't know any better. It's not always easy to set up a border MTA so that it knows about the accounts that exist on an internal machine...it usually involves custom scripting or real-time callouts to the internal server and it takes a relatively knowledgeable admin to implement it (at least that has been my experience). I had someone else email me privately saying that they did the above precisely to foil dictionary attacks, but this person configured his server to simply discard email to nonexistent accounts. That has it's disadvantages (since it could make legit senders believe their messages are being delivered when they aren't) but it least it doesn't create any backscatter. In the default case, accepting all email unconditionally then later rejecting it is just irresponsible, since it makes you a vector for abuse, and could eventually get you blacklisted if other mail servers get sick of receiving bogus bounces from your domain... (As a side note, apparently the list software doesn't like the offtopic nature of this sub-thread (I just received a 550 on this message), so this will be my last post on the matter. But since I've gone to the trouble of typing it up let me throw in the words PHP, web, and Apache, so this will make it through. :) ) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
