At 15:20 -0400 on 06/28/2005, Hector Santos wrote about Re:
Bounce/System Notification Address Verification:
> to do so
would allow a spammer to send you a MAIL FROM/RCPT TO on a
first connection, then once the callback shows up, use *that*
information to create what looks like a "callback to a callback",
but proceed to the DATA step. Whoops.. ;)
You are going to have to explain that line of thought..
Spammers starts a session:
MAIL FROM: <spammer>
RCPT TO: <local user>
CBV is started before RCPT TO response is issued: At the spammer host:
MAIL FROM: <>
RCPT TO: <spammer>
What happens now? Spammer does a call back to where?
Since we were talking about the Verizon CBV, that Mail From will be
from <antispam579542(_at_)west(_dot_)verizon(_dot_)net so the spammer will do his CBV
to that address. The correct response (as I noted) by Verizon would
be to send a "Valid Address" response back. If this was real CBV, the
next step would be a QUIT (to drop the connection). Since we are
seeing what would occur since we are a spammer, a DATA is sent
instead. In that case, Verizon SHOULD respond by dropping the
connection (or sending a rejection code reply and drop the connection
if the next response is not QUIT or RSET).