On Mon, Dec 01, 2003 at 03:51:40AM -0500, Hector Santos wrote:
Compliant servers must support VRFY as a way to validate return address.
(BTW, "must be valid" and "must be verifiable" are two different
things.)
There are various legitimate situations in which VRFY or RCPT TO
verification wouldn't presently work. These would have to be solved.
For example:
- UUCP (mentioned elsewhere in this long thread.) The host system
doesn't have any chance of verifying users behind the UUCP connection.
You'd get false positives here.
- As with UUCP, other sorts of disconnected delivery systems where the
receiving MTA doesn't know anything about the usernames attached to
a domain. e.g. the user who has a catchall box for all
*(_at_)example(_dot_)com addresses, who periodically accesses that box and
applies local filtering rules. The user who just has a single
maildrop from which mail is retrieved via something like fetchmail
(or a number of equivalents). Again, false positives.
- The recipient address that is only valid under certain circumstances
(e.g. graylisted, or firewalled such that it only accepts mail from
certain sources, or has a filter installed such that it only
accepts mail from certain senders). False negatives here.
- The system that accepts all mail so that it can update its
'corpus' of spam mail. False positives.
That's just a few. A more imaginative mind can probably think of
many others.
Maybe they can be solved by extending the capabilities of VRFY,
but I doubt they can be solved by changing usage behaviour.
What would be another way?
-mm-
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg