[deletia]
> ... I would also like to add though that it would be NICE if it everyone could
> be open and helpful and allow verify to work, like identd for example. But,
> just as an open mail relay will allow spammers to exploit it, verify can be
> exploited too.
>
> > > - only have valid results in 20% of cases
> > As I said, my experience doesn't conform to that percentage;
>
> hmmm, if I encounter someone who allows verify, I suggest they turn it off!
>
> > > (its considered very bad practise to
> > > allow verify to work as it poses a security risk
> > I see that Philip's site practises what it preaches. Tell us a little
> > about the security risks, please?
>
> well, it means someone can expand mail addresses, and fundamentally get
> information about real users... like finger. they can they try and crack
> logins.
Like they can't get plenty of account info just by scanning newsgroups and
mailing list archives... vrfy is only really going to work if you already
know an email address (expn is probably a good thing to disallow).
Being able to verify email addresses and perform remote fingers is
convenient. I doubt this information really constitutes that
great a security risk.
>
> See the "Cheswick and Bellovin" book on security...
>
> Paul
>
>
> --
> *** Exim information can be found at http://www.exim.org/ ***
>
>
-------------------------------------------------------------------------------
Chris Faehl | Email: cfaehl@???
The University of New Mexico | URL: http://www.cs.unm.edu/~cfaehl
Computer Science Dept., Rm. FEC 313 | Phone: 505/277-3016
Albuquerque, NM 87131 USA | FAX: 505/277-6927
-------------------------------------------------------------------------------
--
*** Exim information can be found at
http://www.exim.org/ ***
