On Thu, Mar 09, 2000 at 10:47:00AM +0100,
Claus F�rber <[EMAIL PROTECTED]> wrote:
> Well, the question here is, what's better: A security hole allowing
> remote attackers to find out which email address is valid without
> waiting for the bounce (and giving a valid return address in advance) or
> a security hole allowing remote attackers to start a DoS attack by
> sending messages which eventually double bounce?
>
> I believe it's better not to accept that mail in the first place.
Stopping either one has little benefit.
> Unfortunatly, qmail-smtpd has absolutly no access to the list of valid
> addresses, maybe not even users. I have spent some thinking about this
> and ended up with the following idea: A separate daemon validating
> addresses by looking if there is a .qmail file or a default action for
> that address (and maybe caching the results). Of course, if you need
> ~alias/.qmail-default, this would not help. Further, to check whether a
> .qmail file for .qmail-user-anything exists, you would have to start a
> process with this user's id to be able to read the directory...
If your goal is to get rid of spam double bounces, you don't have to get
the list exactly right. You just accept stuff for valid_user, valid_user-.*
and names defined in ~alias.
