[Top] [All Lists]

Re: Do the must 'bounce' rules need to be relaxed for virus.

2004-03-24 08:51:04
On Tue, 23 Mar 2004 16:56:25 PST, Daryl Odnert 
<daryl(_dot_)odnert(_at_)tumbleweed(_dot_)com>  said:

I respectfully disagree.  My feeling is that there is no reason that the
SMTP protocol should guarantee that a notification will be sent for every
message that is not delivered, except when the MAIL FROM address has been
spoofed.  I think that if we're going to change the protocol, it should
recognize the reality that sometimes messages are dropped for local policy
reasons.  This practice should be discouraged, except when the server can
determine that messages that are malicious or deceitful.

Some of us also worry about information leakage in bounces - many sites have
already disabled VRFY and EXPN, and bounces leak the same information, just
more slowly, and consuming more of your resources while it does it.

Attachment: pgppvJVnBkrcf.pgp
Description: PGP signature