Such behavior is also not restricted to large consumer/recreational
ISP-like mail systems. Many corporate mail systems have exterior SMTP
faces that live on machines with no knowledge of the interior
environment except how to get mail to it. The outside bastion mail
servers deal with basic filtering, but have no way to know whether a
particular address is valid or not. This is a simple security issue:
machines with exterior exposure are not allowed to carry or even
query confidential databases like the list of valid user names.
There are arguments on all sides of this sort of configuration, but
no amount of recommendation by an I[RE]TF body will change it.
One of the arguments against it is that it's just plain dumb. It doesn't of
itself stop the confidential data leaking (I can send you a bunch of
messages and figure it out from the bounces), but it does make you have to
handle bounces to forged addresses in your domains (since remote systems
can't do sender verification against you). And of course you've got all the
spam addressed to former employees (etc) eating up disk and CPU. But like
you say, it's difficult to change the perception that
obscurity -> security.
--
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg