Spam to this list
auj at aber.ac.uk
Tue Apr 19 08:02:54 GMT 2005
Shachar Shemesh <rsync at shemesh.biz> said, in message
426425C3.20407 at shemesh.biz:
> Reject codes were very common once. Then they were recommended
> against. They were recommended against for a reason, that reason
> being that they expose the user base to password and other guessing.
Who recommended this?!
What on earth makes you think that a 5xx return code lets you
determine either usernames or passwords while a generated bounce
doesn't? On all the mail administrators' mailing lists I'm on, people
always recommend using 5xx in preference to sending a bounce, for all
the obvious reasons. If SpamCop is now listing people who send
collateral spam, I think that's no bad thing. It'll certainly cut
down the number of Joe Jobs I end up on the receiving end of...
I know a determined attacker could conceivably probe the existance of
addresses using a dictionary attack and looking at the *text*
following the 5xx response, but this is hard work for the attacker and
very easy to prevent at the server (for example, after 5 invalid RCPT
TO: addresses in a single message, aber.ac.uk will respond "Too many
invalid addresses" unconditionally. Throw in a teergrube and they can
spend weeks doing what a google search could achieve in seconds).
Alun Jones auj at aber.ac.uk
Systems Support, (01970) 62 2494
University of Wales, Aberystwyth
More information about the rsync