On Mon, 1 Dec 2003 19:51, Hector Santos wrote:
No, you got it. And you raise a very excellent possible solution which I
like because it doesn't technically change the SMTP protocol. It now
becomes a functional requirement.
...
Compliant servers must support VRFY as a way to validate return address.
I don't see how this, on its own, overlaps with a proposal like LMAP. If host
X sends us mail with "MAIL From:<user(_at_)Y>", then we ask an MX for Y to
"VRFY
user(_at_)Y", all we have determined is whether <user(_at_)Y> is a "valid"
address, for
some loose definition of "valid". (One of my domains has a catch-all address
in force at the moment anyhow, so *every* syntactically valid address is a
"valid mailbox".) Critically, what we have *not* determined is whether host X
is *authorised* to represent that address. That is what LMAP attempts to
ascertain.
The reinstatement of VRFY would potentially give spammers a good way of
evaluating their address lists. A spammer could also probe around for a
verifiable address to use in the "MAIL From:" part of the dialogue. In the
absence of an LMAP-type authorisation mechanism, this strikes me as a rather
bad thing.
Is your response to this a challenge/response type scenario, where the
(known-to-be-valid) return address is sent a message asking for confirmation?
This is a nasty burden on the victim of fraud. We need the LMAP-type
authorisation mechanism to act as a first-pass filter to reject blatant
frauds.
Or perhaps I've missed your point. I haven't had the time to fully analyse all
the messages on this list in the last couple of days.
Regards,
TFBW
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg