* Marilyn Davis wrote (23/03/2005 22:55):
> On Wed, 23 Mar 2005, Fred Viles wrote:
>
>> On 23 Mar 2005 at 13:50, Marilyn Davis wrote about
>> "Re: [exim] Heads up?":
>>
>> |...
>> | If the challenge to a spoofed message is sent at SMTP time in the
>> | acl_smtp_data, doesn't the challenge go to the spoofer and not become
>> | collateral spam?
>>
>> No. Doing it at SMTP time means the challenge can be sent to the
>> envelope-sender address rather than address(es) extracted from the
>> message headers. But the envelope sender address is no more reliable
>> than the From: or Reply-To: addresses.
>
> Oh. I guess I'm still not understanding something.
>
> Are you saying that when mail is rejected at smtp time, the error
> message can get to a different computer than the one that sent it?
Are you missing the distinction between an error message and an e-mail?
An error message (550 or whatever) is sent to the connecting host during
the SMTP connection. It tells the host that there was an error during
the SMTP session. It is sent to an IP address, not an e-mail address. A
challenge e-mail has to be sent via a new SMTP connection to an e-mail
address. The problem is that there is no way to know the right e-mail
address, because it can be made up.
Sorry if this is all either already obvious or no clearer, but the
preceding discussion suggests that it might be worth pointing out.
