>From: Dan McAllister >Now I can't just reply to HOW without adding my 2-cents worth as to why I think "bounce-no-mailbox" is the WORST of the options:
>- It allows spammers to "mine" your domain for "good" email addresses (which then get sold!). how? Send a note to a...@yourdomain.com, b...@yourdomain.com, etc. For each one that does NOT get a bounceback, you have a good address! SPAM IT! >- Once your domain is "mature" (been around a few years), your "catchall" account will get thousands of emails a day - from spammers trying to mine your domain! My question is, would this not lead spammer to try to use your domain name as a FROM? What I mean by that is, if you're not bouncing the bad addresses, then a spammer can use your domain [I know, many don't check SPF or where the domain is allowed to send email from records], to send email outbound. Most email servers will check to see if the return email address is valid, and qmail would say anth...@yourdomain.com is valid. While it would get dumped into /dev/null since you have "delete" as the final destination, I'm not entirely sure allowing all email address for your domain to work is a good idea. I know a few years ago, I did have a few customers this happened to. We had to disable the catch-all and instead, set it to bounce-no-mailbox. When we did that, the spammers stopped trying to use the domain as a "from" address [and yes, SPF records made no difference. it was the open catch-all that led the spammers to use the domain as a "from" address]. Again, YMMV. Carl