|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jimbo (jim
jamesberwick.com)
Date: Thu Feb 07 2008 - 10:13:10 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alejandro Facultad wrote:
> If "intruder" do:
>
> RCPT TO:<nonexistentuserexample.com>
> 250 2.1.5 Ok
>
> they won't know wich mail account is valid or invalid, always get the
> same code and this behaviour "ofuscate" the valid mail accounts.
>
> Special thanks
>
You have effectively two choices here and both of them are bad.
You can accept mail for anyoneexample.com and just discard messages for
non existent users. This is bad as legitimate senders who made a typo
will never know their message was not delivered.
You can have every address return 250 OK, however if the client moves on
to the DATA command they'll get notice that there are no valid
recipients and they'll still know that the email address is not valid.
I really don't think there is as big a "security" issue with address
probing as you are making it seem.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]