After consideration and reconsideration I've come to the conclusion
that delayed rejection to hide the user list is much like security
through obfuscation -- it is too easily defeated.
I agree - and furthermore, if you defer rejection until after the data,
it is approximately as hard to abuse as accept-and-bounce. (It does
require a little care with 4xxing RCPTs to preserve protocol
conformance while making it nontrivial to game, but that can be done.)
Yes, rejecting after data burns bandwidth to carry the body - but
accept-and-bounce is even worse.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML
mouse(_at_)rodents(_dot_)montreal(_dot_)qc(_dot_)ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg