Well said. Giving away the user list makes sense only when you don't care about dictionary attacks. From the arguably daft visionary point of view where we have solid server-side access restrictions, we don't care about dictionary attacks, and publication of the valid user list in a way that can be referred to with an SPF macro is an additional point.
Until I get my servers back up i'm afraid I'm going to have to live with being called daft. -- David L Nicol "Happy hacking!" http://www.amazon.com/exec/obidos/ASIN/0596002874/tipjartransactioA/
