----- Original Message -----
From: "Danny Angus" <Danny_Angus(_at_)slc(_dot_)co(_dot_)uk>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Cc: <owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>;
<spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, October 01, 2004 4:29 AM
Subject: Re: [spf-discuss] Unified SPF Algorithm (was: moving on from MARID)
Rejecting based upon RCPT TO alone is a significant logical hole it allows
automated address harvesters to poll an MTA with random addresses so that
it can build up a list of valid ones.
IMO, this is a red herring. Spammers market their business based on a
promoting a mailing list that they can show the SMTP accepting , not
rejecting. They tell potential customers that although they can not
guarantee the user will read the mail, but they can guaranteed the mail will
be accepted.
If your system accepts all addresses, all you are doing is perpetuating bulk
mailers that they can blast your system to get past stage 1 (smtp) and take
their chances on getting past stage 2 (post smtp).
Never mind that fact that the new generation SORBIG-based email virus love
systems that accept RCPT TO and the PAYLOAD.
Far better to validate upon receipt of all three, and reject with no
notice
of what check failed.
If a transaction comes into my system for
Joe(_dot_)Blow(_at_)winserver(_dot_)com and joe
blow doesn't exist, what else needs to be logged other than a "does not
exist" statement? The HELO, MAILFROM is automatically recorded as prior
entities. What more is needed?