Re: problems with smtp-protocol (relaying denied)
- From: Mark Crispin <MRC@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 7 Feb 2006 15:52:52 -0800
I'm not necessarily disagreeing with you. We are probably loudly agreeing; there's just a different as to which principles to stress.
On Tue, 7 Feb 2006, Kjetil Torgrim Homme wrote:
RCPT TO does not necessarily do so. A server may accept any RCPTthis is a big problem on today's Internet, and it must be avoided to
TO and later bounce the message,
set up a server in this manner at all costs. servers which do this
risk being blacklisted.
However there are still pieces of small-i internet left in the world for which there are legitimate MX relays; and those relays neither possess nor have reasonable access to the recipient name space.
The entire purpose of the SMTP return-path is to enable this capability. The fact that spammers abuse it to redirect bounces to others does not mean that the capability is wrong.
I do, however, agree that this is something that should be avoided within reason in today's world, because of the spammer problem. Specifically: a site which chooses to accept all recipients even though it knows the valid recipient name space (in the name of not disclosing valid vs. invalid addresses) in SMTP can not reasonably claim to be behaving reasonably if it subsequently bounces invalid addresses.
since VRFY is purely a diagnostic tool, a server may lie about the
validity of an address just as easily (or more so) as it can for RCPT
TO.
This is a form of "disabling VRFY."
I've watched bad guys do many thousands of VRFY in a single SMTPMAIL FROM; RCPT TO; RCTP TO; RCPT TO; RSET; repeat from start
session to a honeypot. For most sites, this is silent since no
mail is sent.
it's just as silent as VRFY in the MTA implementations I've seen.
Not in MTAs which I've used; aborted email transactions show up in the logs much more prominently than VRFY. Also, this attack can be stymied by doing the reject in the DATA response, placing a limit on the number of permitted aborted transactions (e.g., only allowing a new transaction after SMTP authentication in the case of reactive authentication, etc.).
The one thing that I've observed in spam-fighting is that "one shoe does not fit all." More commonly, "best solutions" are environment-dependent (e.g., SPEWS or blocking all Red Chinese IP ranges may be great for site A and a disaster for site B), and tend to change over time as the spammers also evolve.
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
.
- References:
- Re: problems with smtp-protocol (relaying denied)
- From: andre
- Re: problems with smtp-protocol (relaying denied)
- From: Alexander Dalloz
- Re: problems with smtp-protocol (relaying denied)
- From: Kjetil Torgrim Homme
- Re: problems with smtp-protocol (relaying denied)
- From: Mark Crispin
- Re: problems with smtp-protocol (relaying denied)
- From: Kjetil Torgrim Homme
- Re: problems with smtp-protocol (relaying denied)
- Prev by Date: Re: problems with smtp-protocol (relaying denied)
- Previous by thread: Re: problems with smtp-protocol (relaying denied)
- Index(es):
Relevant Pages
|
