On Fri, 14 Jan 2005, Hannah Schroeter wrote:
MAIL FROM: <>
RCPT TO: <a(_at_)your(_dot_)domain> ; this a isn't a signed envelope sender
or so
RCPT TO: <b(_at_)your(_dot_)domain> ; b *is* and the signature is valid
This is illegal for a DSN, and I immediately reject as soon as the
second rcpt is seen for a DSN.
Local usernames? They can be dictionary scanned by using a non-empty
MAIL FROM which is SPF unknown or pass, so you don't gain anything
from not exposing them (by using a different 5xx reply than if the
user wouldn't exist at all) if MAIL FROM is empty.
Good point. I was following recommended practice for SES with CBV, but maybe
it is out of date. I'll go back and review to make sure.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.