Auteur: Alan J. Flavell Date: À: Exim User's Mailing List Sujet: Re: [exim] rfc-ignorant.org - auto reporting those who reject
mailfrom: <>
On Sat, 23 Oct 2004, David S. Madole wrote:
> Maybe the person running this server doesn't care about your
> attempts to use callouts to duplicate the service that "VRFY" is
> supposed to provide.
I don't know about you, but one of the reasons for attempting a
callout is to get some idea that the offering MTA would accept a
"bounce" (non-delivery report, delivery status notification).
If we take responsibility for delivering a mail, there -are-
situations (albeit we're all doing our best to avoid most of them -
right? - by rejecting during the SMTP dialog) where a subsequent error
means that the mail couldn't be delivered; and then it's necessary to
compose a non-delivery report to the envelope-sender, just like it
says in the good RFCs.
In the interests of a reliable mail operation, I wouldn't want (other
constraints being equal) to take the responsibility for delivering a
mail in a situation where I *knew* that a non-delivery report would
fail.
VRFY doesn't even approach performing that function.
> If you want to verify recipients' addresses, why don't you just
> "play by the rules" and use "VRFY" to do this?
For one reason: see above.
> The rules say that "<>" is to be used for delivery of status
> notifications.
And that's why we're testing the (initial steps of) ability to deliver
status notifications.
> Your using it for callouts is not "playing by the rules".
Your argument is not entirely without merit; but, in the circumstances
in which we find ourselves, some compromises have to be made.
> If the other guy decides he doesn't care about status notifications,
> that's his decision,
Indeed, and our subsequent action follows from that. We might choose
to put his domain into our callouts list, so that he can block himself
from offering us any further mails until he stops that behaviour.
> just as it's your decision to use mail from "<>" as
> a substitute for "VRFY".
As you've shown in your own presentation: a positive response to a
VRFY (assuming you can get one nowadays) does not come near to proving
that the offering MTA would accept a delivery status notification.
A positive response to a callout doesn't actually guarantee it,
either (the DSN might get refused at the DATA phase), but it does at
least go part of the way, and IMHO represents one practical tool in
the anti-abuse toolkit. Of course, it has to be used with discretion
(cue Suresh for at least one good reason why).
best regards
--
"You cannot store 'The Internet' in the Recycle Bin"