[Top] [All Lists]

Re: [Asrg] pre-rfc thought balloon: ESMTP DATAFIRST

2006-06-05 17:38:59

DATAFIRST seems like a great tool for a DHA (directory harvesting attack):
here's an innocent-seeming email, and here's the million possible recipients
for it...

How about a compromise, something like a NOACK?  After the DATA, the
receiving server replies only that it did/did not receive the message,
without any information to the sender whether any given recipient will
receive the message.  Probably should add a message type that says "message
received, but none of the recipients are valid", so the sender won't send to
that domain any more.  Think about multicast IP (IGMP, PIM, DVMRP, etc) as a

- The upside: less traffic, since the message is only sent once (by
"responsible" senders).

- The compromise: those senders don't get feedback on whether the addresses
are valid.  For mailing list maintainers, there's nothing to allow them to
prune their lists.  However, for spammers, there's no feedback for DHA

- The downside: senders who really really want that address-level feedback
will still send individually.

Perhaps this "downside" would still be a good thing, as senders who still
choose to send individually will suffer reputation harm.

It's also possible that extensions of this kind could encourage more spam
messages to be sent, since receiving MTAs which adopt the extension could
increase the recipient limits.  OTOH, receiving MTAs might just quietly
discard the messages with the same limits as before.  This would make for an
interesting model in game theory.


On 6/5/06, David Nicol <davidnicol(_at_)gmail(_dot_)com> wrote:

...If you had a list
of, say, every potential coca-cola drinker at AOL, switching to a
sequence would allow you to put the ad in first and then chase it with the
mailing list...
Asrg mailing list
<Prev in Thread] Current Thread [Next in Thread>