On Mar 27, 2009, at 12:46 PM, John Brooks wrote:
Their response: ... "my understanding of the <firmname removed> security policy is not to acknowledge mistakes in email addresses as a best practice defense against phishing and other types of email delivered attacks." Anybody run into this kind of logic before? -- John Brooks j...@day-light.com
It's somewhat common, and preferable to issuing 5xx _if_ you have no built-in DHA* protection. Most modern e-mail security products do have anti-DHA features though, in which case it's much better to issue the 5xx.
*Directory Harvesting Attack. -- bk
