Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Discovering users by RCPT TO

From: Baltasar Cevc <baltasar () cevc-topp de>
Date: Sun, 16 Jan 2005 18:26:31 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bassett, Mark wrote:
| A better way of doing an "authorized user list", is to accept mail for
| every address at your domain, but toss it into the bit bucket if it's
| not a valid recipient.  The major difference being that you accept the
| message regardless, it just never gets delivered.  Lots of anti-spam
| products provide this ability.  Ciphertrust Ironmail, and Clearswift
| MimeSweeper are both anti-spam vendors that do this that I can think of
| offhand.

However, using that feature will have a rather nasty side effect of not
letting legitimate users know that their mail has not been delivered.
And at least here in Germany, knowingly not delivering mail is illegal;
although these mails cannot be delivered, I suppose you may be liable
to let the sender know (at least if it is a human ;-)

Baltasar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB6qPHp2YsmzTbIwYRAiDYAJ99CmbUzHwpr+gKeHocTY7h+hVMOwCfeMQL
m2gy8vWwTq8OXC4OR05ZAss=
=oBNA
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: