James A Baker wrote:Anyway, as for RCPT vs. VRFY responses... You know some servers reject VRFY out of hand to cut down on address harvesting, right?
Yes, and those that do generally just respond in the positive for all addresses. They also tend to give positive responses for non-existant addresses to the RCPT command, to prevent it from being used as a simple replacement for VRFY. I'm not sure that's always the case, though. I'd like to know if anyone can point out services that don't work this way.
Mine.
I have my Postfix install set up to reject all VRFY requests. And it will only give a positive response for RCPT's that it actually believes it can deliver.
Now admittedly, that does leave RCPT open (as you mentioned) as a replacement for VRFY. But with a limit on RCPT's per message (or a tar-pitting patch), I could cut down on that exploit _somewhat_ too, if it becomes a problem -- which it isn't currently.
<aside>
Of course, I'm not sure I really see the value of people just universally accepting RCPT's and just turning around and bouncing to a non-existent or deactivated box. It just creates more incoming mails and outgoing bounces... which to me, seems to actually exacerbate the spam problem, rather than helping it.
I mean, the real addresses still got harvested -- they got a valid response, right? -- but then there's all this extra mail out there too: the spams/bounces (and even double-bounces) for the invalid addresses that got harvested too. Right? *shrug* Doesn't seem helpful to me.
</aside>
But, you're right. A lot of other systems are configured to just say yes or no universally to RCPT and/or VRFY in their attempt to avoid certain harvesting exploits -- or merely out of simple inattention to the default config sometimes.
Anyway... if you have reports that your filter's approach actually is effective for someone else, then maybe I'm wrong and it is going to be useful. It's just that I typically see a lot of real addresses (that are simply faked to be someone _else_'s return address, or quickly deactivated after sending) in my personal spam-box. But that could just be me. *shrug*
I wasn't necessarily trying to convince you not to try it actually. Real-world test data is always better for decision making than "expected results" will ever be. I just was saying I didn't _think_ you'd see much value out of it. -- But then, I could be wrong. ... And I'd certainly be interested in hearing your results. =)
-jab
------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps1 _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
