On Tue, 22 Jun 2004, Chris Drake wrote:
Tuesday, June 22, 2004, 12:29:11 AM, Tony wrote:
TF> Note that this protocol doesn't prevent joe jobs, because the
TF> forger won't advertise ChrisDrakeCBV regardless of whether the
TF> forged domain normally would.
The forged domain gets the opportunity to advertise it's CBV support
in response to the VRFY command given to the VMTA (which can't happen
if SPF is also supported, since the joe-job would not have been
acceptable enough to trigger a CBV anyhow).
So if the recipient does a CBV anyway, what's the advantage over
properly specifying plain CBV?
Prevents dictionary attacks, since the RMTA can verify the sender
before letting the attacker know if the recipient exists, and (if the
attacker speaks SMTP-CBV) gives the RMTA a "constant" (the VMTA IP
address) to use for throttling attack speed.
TF> This paragraph disagrees with the protocol you described.
How so?
The protocol you described performs the CBV between DATA and its response,
which is after the oMTA has found out about the recipients.
--
Tony Finch <dot(_at_)dotat(_dot_)at> http://dotat.at/