Valdis.Kletnieks@vt.edu writes on 12/2/2003 9:32 AM:
On Tue, 02 Dec 2003 19:23:41 +0800, Suresh Ramasubramanian <suresh@outblaze.com> said:
What they are trying to do is to connect back to email.com's MXs and ensure that the user <sgswretyshsdhtest@email.com> who is trying to send them mail really does exist, and is not just a figment of some spambot's imagination.
And they tell that how, exactly, given that many sites do NOT allow VRFY or EXPN?
MAIL FROM: RCPT TO: QUIT: is precisely what they are doing. Nobody except spammers / dictionary attackers seem to VRFY these days for this sort of stuff. In fact grepping your logs for VRFY is often a reliable sign of a dictionary attack on your machines.
I suppose they could do a MAIL FROM/RCPT TO pair, look at the result, and QUIT instead of DATA. Of course, that would be silly, because if it ever ran into another site that tried the same thing, that site would try to call back and do a MAIL FROM/RCPT TO...
MAIL FROM: <> typically, or from a sender that does not return callbacks to it ... so no danger of loops getting set up. Thank God for small mercies, I guess. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations