|
Posted by "Michael Sims" on 09/27/03 11:27
J B wrote:
> On 9/21/05, Michael Sims <michaels@crye-leike.com> wrote:
>> Additionally, some mail servers unconditionally accept mail
>> addressed to ANY username at their domain, whether that user
>> actually exists or not. This is very bad practice, because it
>> usually means the accepting MTA is a "dumb" host that has to forward
>> all incoming mail to an internal mail server which knows which
>> accounts exist, and if that server ends up rejecting the message,
>> the "dumb" MTA creates a DSN and sends it back to the envelope
>> sender (which is quite often forged). This causes the so-called
>> "backscatter" which results in innocent people getting bounces for
>> messages they didn't send. Nevertheless, lots of mail servers are
>> configured this way, so you cannot simply assume that an account is
>> real just because you didn't get a 5xx on RCPT TO.
>
> Just as a side note, and I do agree that this behaviour is bad
> practice in principle, but I imagine they (the MTAs) do this for the
> same reason that login prompts don't tell you when you enter a bogus
> username and still prompt for the password and give a generic "access
> denied" error...it prevents username fishing.
There probably are a few people who accept mail to any address at their domain to
foil dictionary attacks, but IMHO the vast majority of servers that are set up this
way are due to mail admins who just don't know any better. It's not always easy to
set up a border MTA so that it knows about the accounts that exist on an internal
machine...it usually involves custom scripting or real-time callouts to the internal
server and it takes a relatively knowledgeable admin to implement it (at least that
has been my experience).
I had someone else email me privately saying that they did the above precisely to
foil dictionary attacks, but this person configured his server to simply discard
email to nonexistent accounts. That has it's disadvantages (since it could make
legit senders believe their messages are being delivered when they aren't) but it
least it doesn't create any backscatter. In the default case, accepting all email
unconditionally then later rejecting it is just irresponsible, since it makes you a
vector for abuse, and could eventually get you blacklisted if other mail servers get
sick of receiving bogus bounces from your domain...
(As a side note, apparently the list software doesn't like the offtopic nature of
this sub-thread (I just received a 550 on this message), so this will be my last
post on the matter. But since I've gone to the trouble of typing it up let me throw
in the words PHP, web, and Apache, so this will make it through. :) )
[Back to original message]
|