Shachar Shemesh <[EMAIL PROTECTED]> said, in message [EMAIL PROTECTED]:
> Reject codes were very common once. Then they were recommended > against. They were recommended against for a reason, that reason > being that they expose the user base to password and other guessing. Who recommended this?! What on earth makes you think that a 5xx return code lets you determine either usernames or passwords while a generated bounce doesn't? On all the mail administrators' mailing lists I'm on, people always recommend using 5xx in preference to sending a bounce, for all the obvious reasons. If SpamCop is now listing people who send collateral spam, I think that's no bad thing. It'll certainly cut down the number of Joe Jobs I end up on the receiving end of... I know a determined attacker could conceivably probe the existance of addresses using a dictionary attack and looking at the *text* following the 5xx response, but this is hard work for the attacker and very easy to prevent at the server (for example, after 5 invalid RCPT TO: addresses in a single message, aber.ac.uk will respond "Too many invalid addresses" unconditionally. Throw in a teergrube and they can spend weeks doing what a google search could achieve in seconds). Cheers, Alun. -- Alun Jones [EMAIL PROTECTED] Systems Support, (01970) 62 2494 Information Services, University of Wales, Aberystwyth -- To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
