----- Original Message -----
From: <list+spf-discuss(_at_)doeblitz(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Saturday, March 13, 2004 11:43 AM
Subject: Re: [spf-discuss] Latest proposal re HELO checking: make HELO tests
optional
--On Donnerstag, März 11, 2004 20:42:54 -0500 Hector Santos
<winserver(_dot_)support(_at_)winserver(_dot_)com> wrote:
[...]
Why is your RCPT TO response never coming back? We have a 35 second time
out on that. Could be set longer but you are the FIRST I've seen that
has a problem like this.
It is not my system, but you seem to be very impatient. ;-)
RFC2821 states with regard to timeouts:
RCPT Command: 5 minutes
A longer timeout is required if processing of mailing lists and
aliases is not deferred until after the message was accepted.
Thats true, but you can't use the same timeouts for a CBV. And even if it
did way CBV, your end would expire. So whats the point of the delay? It
makes no sense (see below). At a minimum, a 45x response would be the other
possibility.
BTW: I do not like that kind of behaviour by a receiving mail system. If
you want to send a bounce, ok, just send it. But probing for addresses
will get you a permanent IP-address block on our firewall as sson as I
notice it in the logfiles. I regard it as a preliminary action to a spam
run or (d)DOS attack.
But it isn't and that only means that your mail will never be accepted when
you try to send this way.
In my technical view, an anti-probing logic should be for multiple RCPT, not
on the first RCPT and fortunately, the majority of responsible mail systems
don't operate that way. It would kill the system. Look at this way, RFC
2821 says you must accept the local message anyway (for null return paths),
so what's the point of delaying it? All you are doing is hurting innocent
victims.
If you want to stop the probes, add Multi-line Greeting responses. You will
instantly stop at least 40-50% of your probes.
Finally, of course, the whole point of adding LMAP to CBV systems is to
avoid the CBV as much as possible. So he could of simply added an SPF
record and it would of been a none issue. The point is, the CBV is the
ultimate test to satisfy that return path is valid, and in our design, SMTP
COMPLIANCY is a must, those that fail to comply, will not get in. Its as
simple as that. I don't buy that idea as some have put it "the return path
is only valid when it needs to be used." Well, that doesn't make sense at
all. It is presumed to be valid for a bounce, then it better be valid at the
moment it is presented. Not after the fact.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com