Hi Peter,
At 01:15 16-07-2007, Peter J. Holzer wrote:
Speaking of local mailboxes and user names, I think it is extremely
inadvisable to let VRFY return a list of real addresses on a partial
match. If "VRFY john" returns a list of all addresses of users whose
first or last name is John, it is simple to harvest addresses.
That would only be a problem if VRFY is not restricted. Section
3.5.2 states that VRFY is not required to work across
relays. Section 3.5 is about commands for debugging
addresses. There is already a warning about disabling these commands
for security reasons.
"In many cases, RCPT commands can be used to obtain the same
information about address validity."
Regards,
-sm