jrudd at ucsc
Jul 22, 2007, 4:14 PM
Post #2 of 2
(63 views)
Permalink
|
Giampaolo Tomassoni wrote:
>> -----Messaggio originale-----
>> Da: Matus UHLAR - fantomas [mailto:uhlar[at]fantomas.sk]
>>
>> ...omissis...
>>
>> I am really curious how do they behave when there's forged sender and
>> both
>> MTA's use this. Either they will cycle forever (so they will never know
>> if
>> either address is OK), or they will stop checking (so the spam will
>> pass
>> because spammer forged domain with SAV implemented) or the mail (even
>> legitimate!) just will not pass...
>>
>> Once I'll try this on two or more such systems (in parallel!) and see
>> if
>> they will DoS each other...
>
> No, Matus: they don't cycle.
>
> An MTA willing to check the existence of a sender address would do this
> before its reply after end of DATA (i.e.: after having received the
> message). Instead, an MTA would inform its peer of a non-existent mailbox
> after RCPT-TO (with a 5XX error code), which is well before DATA.
>
> The checking system need not proceed to DATA in order to check the existence
> of a mailbox, so there is no cycle...
I believe the more direct reason why there wont be a cycle/loop is that:
When doing SAV, the checking host should set its "Mail-From" to "<>".
So, if someone tries to send me a message from joe[at]example.com, and I
were to use SAV (which I don't), then the SAV check should have these
transactions:
HELO $MYHOST
Mail-From: <>
RCPT-To: <joe[at]example.com>
QUIT
The reason why this shouldn't cause a loop is that RFCs specifically
state that <> a valid Mail-From, and should always be accepted.
Therefore, the other side should never reject (and therefore never
check) the validity of <> as a mail-from.
|
