Patrik Fältström <paf(_at_)cisco(_dot_)com> writes:
But, what I have been forced to help some large companies in Sweden with
is a setup when they have one mail host which the MX refer to, and that
host accept any local part (but only their domainname). The host is then
relaying the mail to some internal host(s) which might give back a 5xx
response. The bounce is going to the envelope sender address, which is
the real target for something which can be seen as something between DOS
and spam attack.
I'm pretty strongly of the opinion that this is a valid e-mail
configuration. It's unfortunate that it opens up the possibility of a
mailbomb by proxy, but under most circumstances it doesn't serve as a
mangifier, and therefore really isn't much worse than a direct mailbomb.
Most anything you can do this way you can also do by just mailing the
victim directly, so as long as there are full trace headers included, I
don't see a significant increase in abuse potential.
SMTP is inherently abuseable by design, unfortunately.
There are good reasons to want to accept the mail and generate a separate
bounce rather than denying the message at the SMTP layer. One reason is
security partitioning on the mail server; if you want to make the
network-exposed code as simple as possible, putting in code to determine
what addresses are valid in an arbitrarily complex and fast-changing
system behind the listern probably isn't a good idea. Another reason is
to return more information than is possible with a 550 error at the SMTP
level, such as providing near-match directory information against the set
of directory entries where the user has chosen to make that information
public (this is what we do).
I do agree that such systems should have rate limiting on the bounces
they're willing to send back, but saying that it's an inherently bad mail
design goes too far in my experience.
--
Russ Allbery (rra(_at_)stanford(_dot_)edu)
<http://www.eyrie.org/~eagle/>