[Top] [All Lists]

Re: Bounce/System Notification Address Verification

2005-06-30 14:03:52

----- Original Message -----
From: "Bruce Lilly" <blilly(_at_)erols(_dot_)com>

A check on a *random* mailbox has zero value because a client cannot
tell whether a supposedly-random local part is or is not a valid
mailbox on a remote system.


Lets put the CBV aside.

When you are considering "security" as we are today, will a MSA or MDA
accept an relay or route request for unauthorized sessions?

Theoritically, sure. Its possible. 100% and if you want to operate that way,
you could.

But in today's environment, it is considered a mode of operation that helps
spammers, especially the sorbig-based eVirus which emphasizes on open relay
or delay validation systems to exploit the bounce distribution.

Most system realize this and don't operate in this way.

Lets go to your system to see if you run a secured, non-open relay system:

helo hdev1
mail from: <>
250 sender <> ok
rcpt to: <asdsadasdsadasda(_at_)adssadsada(_dot_)com>
550 #5.1.0 Address rejected.
rcpt to: <hsantos(_at_)santronics(_dot_)com>
550 #5.1.0 Address rejected.

No, you are secured. You dont' accept random address, but its is probably
because yo are only checking for local users and/or hosted domains.

Nor can it tell if a supposedly-random
domain name is also legitimately handled by the same MX host, at least
not without doing a separate MX lookup or having equivalent out-of-band

I don't believe this matters Bruce.

Just like any MTA going to the MDA, or a MUA to a MSA, the CBV (MTA) is
going to the MDA to simulate the delivery of message at the mail host
responsible for the return path address.

If this unauthorized session CBV, MTA or what have you,  is allowed to
submit a non-local domain address, then this MDA is an open relay regardless
of how the system is operating with delay validation, and say, this is not
the operation the world desires due to the multi-billion cost in damages and
repercussions it has on the industry.

I don't dispute how a system can be configured to operate as you say, but an
unauthorized relay attempt is not the BCP.

I did learn one new trick that I think I will implement and explore - flip
it around, test the random address first.  If accept, it is operating in an
open relay behavior.

Hector Santos, Santronics Software, Inc.