From: wayne <wayne(_at_)midwestcs(_dot_)com>
...
Similarly, I'm not sure that disabling the VRFY SMTP command is a good
idea. Yes, the VRFY command can be easily used by spammers to do a
dictionary attack on your server, but if you don't let them do it the
"easy" way, they will likely do it the "hard" way by sending spam to
every possible email address. ...
That is not the hard way to do a VRFY when the target SMTP server has
turned off VRFY. Instead the extremely well known alternative consists
of replacing the SMTP VRFY command with two commands. Use a Mail_From
command with any sender that you think will be acceptable to the target
followed by a Rcpt_To command with the address you wish to verify.
The result is at least as reliable as VRFY and does not require
significantly more of your bandwidth, computing, or even thinking.
If you run an SMTP server, you can watch the spammers do zillions of
these sorts of VRFY commands. Spammers use this tactic even when VRFY
is turned on, because this mechanism cannot be turned off and it is so
easy.
Of course, EXPN is something else.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg