Forging the Delivered-To line could be to Mr. Spammer's advantage, because
he could send millions+ of messages to addresses that use vpopmail, and
could depend on the bouncing to deliver his mail;  just spoof the envelope
recipient/from and wala.

Not only that, but it gives information about the system's directory structure, which I always thought was a BAD thing.

(As an entirely separate bug: could the directory structure *not* be given to people who shouldn't see it?)

Adam Hooper

Reply via email to