Hector Santos wrote:
Side note; Why do we cc direct users when we writing to the mailing list
too? Just wondering.
That argument has been raised many times. Some people filter the main
list traffic into a different folded unless it is also addressed to them
directly.
----- Original Message -----
From: "Yakov Shafranovich" <research(_at_)solidmatrix(_dot_)com>
>
In your definition of an open relay is a server that is allowed to say
"250" to every RCPT TO command for a *local* domain! There is *nothing*
in ANY RFC that states that an SMTP server is not allowed to do that.
Therefore, your definition is inconsistent with the existing standards
since you are expecting SMTP servers to do something that is not in the
specs.
[..]
Ok, so you were not quite right about Yahoo yourself.. They are not
addressing the harvesting problem. But instead delaying the user validation
handling until the DATA point is receive. You either offer a dynamic
ACCEPT/REJECT or a delay BOUNCE, which many systems do to offload processing
issues.
I believe that it has been mentioned before that the reason why they do
it that way, is because spammers tend to do dictionary attacks using
RCPT TO.
YAHOO is doing Local User validation by delaying the process until the data
is received, which is probably done as a backend thread lookup while the
session thread was being receiving data. Perfectly legit design to help in
the optimization process.
Correct.
Nonethless, Yakov. This is good News! This make WCSAP even better. I will
now add this logic by detected the YAHOO MTA and go the DATA state. This
will make WCSAP stronger now and work with YAHOO. I am going to explore the
other ISP as well to see if they also do delayed validation at the DATA
state.
What happens if this is a legit user? You will end up sending an email
to him since at the DATA command, the MTA will accept the message? So
therefore, for those MTAs which answer 250 to all RCPT TOs and do
validation after the DATA command, your method of verification will
result in an extra email message to the user which itself can be
considered spam by the user (same argument as the C/R business).
What I would like to narrow down is what purpose does this proposal
address? What exact forgery does it solve?
Yakov
-------
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"Fight spam, but keep it in perspective" (Brad Templeton)
-------
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg