On Thu, Mar 11, 2004 at 03:53:55AM -0500, Hector Santos wrote:
Are you by any chance doing dynamic RCPT validation _without_ making sure
the RHS is valid?
Yes, but all validation including the return path is suspended until the
RCPT is determined.
[snip]
OK, I'm not writing clearly enough. Rephrase:
If you receive "mail from: <user(_at_)RHS>" will you be doing a validation
call back (mail from:<whatever>; rcpt to:<user(_at_)RHS>) without having
checked that the domain RHS allows ip address a.b.c.d to use that RHS?
If not, you will be probing innocent victims.
Why do I ask? You were reasoning the spammer could use an invalid username
at an authorized RHS. Then you talked about rcpt validation.
mail from:<spammer(_at_)RHS> SPF checking... +all ==> OK
rcpt to:<victim(_at_)yourdomain> rcpt checking... "victim" does exist
response: go ahead
Even at this stage things could go wrong. Maybe not in your product but
there will be setups where at a later stage it is decided the message
cannot be delivered, or it is delayed, or ..., or ..., or ...
Sending the bounce back to <spammer(_at_)RHS> may result in a double bounce,
unless verification was done (probe to <spammer(_at_)RHS>). From the
combination
of sentences you used, I understood you _are_ probing the local part of
the remote RHS.
cheers,
Alex
--
begin sig
http://www.googlism.com/index.htm?ism=alex+van+den+bogaerdt&type=1
This message was produced without any <iframe tags