Side note; Why do we cc direct users when we writing to the mailing list
too? Just wondering.
----- Original Message -----
From: "Yakov Shafranovich" <research(_at_)solidmatrix(_dot_)com>
To: "Hector Santos" <winserver(_dot_)support(_at_)winserver(_dot_)com>
Cc: "Matthew Elvey" <matthew(_at_)elvey(_dot_)com>; <Asrg(_at_)ietf(_dot_)org>
Sent: Sunday, November 30, 2003 12:50 AM
Subject: Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID
Verification)
In your definition of an open relay is a server that is allowed to say
"250" to every RCPT TO command for a *local* domain! There is *nothing*
in ANY RFC that states that an SMTP server is not allowed to do that.
Therefore, your definition is inconsistent with the existing standards
since you are expecting SMTP servers to do something that is not in the
specs.
Please my mail better Yakov.
I am perfectly aware the SMTP server may accept RCPT TO: without validation
for local domains. Geez, been designing SMTP ready software for quite a
years now and it ranks among the best. So give me a break, huh?
Our software also offers a [X] Validate Local User option as well. When
off, the validation is delayed until the gateway mail processor gets a hold
of the mail. However, it must be delivered or a bounce notification is
immediately sent back. That is the difference! It can go into LA-LA land.
You stated YAHOO is accept all RCTP TO: to avoid "harvesting," which is not
quite the case as I will show.
What I had stated is that If YAHOO is accepted ALL addresses, including
accepting the open relay test against a totally random email domain, then it
is an OPEN RELAY:
Anyway, lets test to see if YAHOO will send a BOUNCE notification to a fake
address but with a proper MAIL FROM: address.
OK, notice this transaction:
220 YSmtp mta239.mail.scd.yahoo.com ESMTP service ready
HELO LOCALHOST
250 mta239.mail.scd.yahoo.com
MAIL FROM: <winserver(_dot_)support(_at_)winserver(_dot_)com>
250 sender <winserver(_dot_)support(_at_)winserver(_dot_)com> ok
RCPT TO: <sant9442(_at_)bellsouth(_dot_)net>
550 relaying denied for <sant9442(_at_)bellsouth(_dot_)net>
RCPT TO: <asdasdas(_at_)yahoo(_dot_)com>
250 recipient <asdasdas(_at_)yahoo(_dot_)com> ok
DATA
354 go ahead
THIS IS A BOUNCE TEST TO SEE IF YAHOO WILL BOUNCE THE MAIL
BACK TO WINSERVER(_dot_)SUPPORT(_at_)WINSERVER(_dot_)COM
.
554 delivery error: dd This user doesn't have a yahoo.com account
(asdasdas(_at_)yaho
o.com) [-5] - mta239.mail.scd.yahoo.com
quit
221 mta239.mail.scd.yahoo.com
Ok, so you were not quite right about Yahoo yourself.. They are not
addressing the harvesting problem. But instead delaying the user validation
handling until the DATA point is receive. You either offer a dynamic
ACCEPT/REJECT or a delay BOUNCE, which many systems do to offload processing
issues.
YAHOO is doing Local User validation by delaying the process until the data
is received, which is probably done as a backend thread lookup while the
session thread was being receiving data. Perfectly legit design to help in
the optimization process.
Nonethless, Yakov. This is good News! This make WCSAP even better. I will
now add this logic by detected the YAHOO MTA and go the DATA state. This
will make WCSAP stronger now and work with YAHOO. I am going to explore the
other ISP as well to see if they also do delayed validation at the DATA
state.
Thanks YAKOV!
---
Hector Santos
WINSERVER "Wildcat! Interactive Net Server"
support: http://www.winserver.com
sales: http://www.santronics.com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg