[ On-list or off-list replies only, please; never both. ] On Thu, Aug 12, 2010 at 08:36:08PM -0400, Hector Santos wrote: > The valid return path is a SMTP requirement and it MUST be valid at > the time it is issued by the sender. Testing it is a VALID option > to perform for the simple reason ERROR REPORTING is a required > possibility. It must not be invalid.
Welcome to 2010. That's all very nice, but practical reality overrides it. The RFCs allow many things, but some of those are no longer a very good idea, and some of them are downright dangerous. Or to put it another way, de facto operational practice supersedes de jure specifications indicating what we *could* do, if we were freed of all constraints imposed by reality. > I don't see how it allows spammers to bypass security measures. That's probably because you haven't read the original source material that I referenced. [1] Extensive analysis of this technique was done during the summer of 2004 on spam-l, when we caught the incompetent morons at Verizon doing it. That analysis conclusively demonstrates that callbacks (that is: callbacks to external sites, not call forwards to internal sites, which are quite useful in some cases) support, enable and facilitate spam and DoS/DDoS attacks. This is so well established, by the way, that it's a BCP to blacklist those caught doing it, and there are multiple public and private resources which do exactly that. More generally, any putatively defensive technique which permits unknown third parties to generate outbound traffic from *your* operation to arbitrary destinations of *their* choosing is clearly a very bad idea. ---Rsk [1] For example, and this condensed outline of just one of many possible scenarios is NOT a substitute for reading the original source material: consider what happens when an abuser registers a throwaway domain and points the MX's for it at the victim's MX's, then uses a few million zombies to simultaneously send traffic putatively from that throwaway domain to mail servers which use callbacks. This is not a theoretical attack, by the way.
