On Tue, Mar 20, 2018 at 09:21:03AM +0000, Joe wrote: > A SMTP server, by default, accepts email only for recipients which have > an account on it.
If only. No, that's part of the problem. An SMTP server, *by default*, has no knowledge of which local-recipient-parts are valid and which are not. It has to communicate with some other system, process, library, or whatever, to make that determination. It's much easier for an SMTP server to validate just the domain-part (right of the @ sign), and generate bounces when it turns out that the local-recipient-part (left of the @ sign) is invalid. This is how things worked 25 years ago. Unfortunately, humans being the despicable creatures that they are, that naive system no longer works. P.S. someone said that bounces are generated using the Reply-To: header. This is incorrect (or at least, would be a violation of the protocols). Bounces are sent to the envelope sender address (the one given by the sender during the SMTP session), without looking at the message itself. Of course, the envelope sender is just as easy to forge as the Reply-To: header is. The sender only needs to lie about who it is. The receiver has no way to verify the address, other than "yeah, that domain exists in DNS". That's how backscatter (a.k.a. "joe-jobbing") works. The spammer sends mail to an invalid address and lies about the envelope sender address. The receiver generates a bounce to the forged envelope sender address. Voila, spam sent -- by the poor schmuck in the middle who was just trying to follow the SMTP protocol properly. The only one who can identify the actual sender is the one who generated the bounce, and the only identifying information that system has is the IP address from which the message was sent. Everything else (envelope sender, message headers, message body) is fabricated.