|
Posted by J B on 10/02/19 11:27
On 9/21/05, Michael Sims <michaels@crye-leike.com> wrote:
> Additionally, some mail servers unconditionally accept mail addressed to ANY
> username at their domain, whether that user actually exists or not. This is very
> bad practice, because it usually means the accepting MTA is a "dumb" host that has
> to forward all incoming mail to an internal mail server which knows which accounts
> exist, and if that server ends up rejecting the message, the "dumb" MTA creates a
> DSN and sends it back to the envelope sender (which is quite often forged). This
> causes the so-called "backscatter" which results in innocent people getting bounces
> for messages they didn't send. Nevertheless, lots of mail servers are configured
> this way, so you cannot simply assume that an account is real just because you
> didn't get a 5xx on RCPT TO.
Just as a side note, and I do agree that this behaviour is bad
practice in principle, but I imagine they (the MTAs) do this for the
same reason that login prompts don't tell you when you enter a bogus
username and still prompt for the password and give a generic "access
denied" error...it prevents username fishing.
Of course, I would think that a better solution would be to do
immediate rejection and then block the remote IP after X send attempts
with invalid usernames, but maybe there's a compelling reason not to
do that and I just haven't thought of it...
Navigation:
[Reply to this message]
|