Re: draft-klensin-rfc2821bis-04: VRFY and EXPN syntax

[I normally try to avoid following up to myself on a mailing-list, 
 but I think this matter is independent of a reformulation of section
 3.5.1, so this is in a separate message]

On 2007-07-16 09:46:48 +0200, Peter J. Holzer wrote:
>    The string argument is used to identify a user, a mailbox or a
>    mailing-list.  An implementation of the VRFY or EXPN commands MUST at
>    least recognize the exact names of local mailboxes in the standard
>    "local-part(_at_)domain" format (see Section 2.3.11).  Hosts MAY also
>    choose to recognize other strings, for example the mailbox address
>    enclosed in angle brackets, the local part of an address or a
>    substring of the full name of the user owning the mailbox.
Speaking of local mailboxes and user names, I think it is extremely
inadvisable to let VRFY return a list of real addresses on a partial
match. If "VRFY john" returns a list of all addresses of users whose
first or last name is John, it is simple to harvest addresses.

So, section 7.3 should warn about this possibility, maybe by adding the
following paragraph after the last:

    The specification of the VRFY command allows (but does not require)
    that all addresses matching the string argument are returned in a
    553 response. This may be used to harvest addresses by searching for
    common names (see examples in section 3.5.1). If an implementation
    supports recognition of anything except exact mailbox addresses,
    it SHOULD provide for a way to disable this feature. I.e., there
    SHOULD be a mode in which VRFY can only be used to determine if an
    exact address does or does not exist, but not to retrieve additional
    addresses.

        hp





-- 
   _  | Peter J. Holzer    | I know I'd be respectful of a pirate 
|_|_) | Sysadmin WSR       | with an emu on his shoulder.
| |   | hjp(_at_)hjp(_dot_)at         |
__/   | http://www.hjp.at/ |    -- Sam in "Freefall"

signature.asc
Description: Digital signature