On 6/19/2013 12:56 PM, Jeroen Geilman wrote: > On 06/19/2013 07:32 PM, Wietse Venema wrote: >> Ansgar Wiechers: >>> On 2013-06-19 Jeroen Geilman wrote: >>>>>> Zitat von Andreas Kasenides <andr...@cymail.eu>: >>>>>>> Out: 250-VRFY >>>> You really don't want to enable VRFY on a public mailserver; it >>>> only >>>> enables more spammers to abuse you. >>>> Set 'disable_vrfy_command = yes' in main.cf to globally disable >>>> it. >>> Not really. Aside the fact that there are other ways to verify an >>> address, I get a single VRFY every other month on my mail server. >>> >>> In my experience most spammers don't actually care if an address is >>> valid or not and blindly throw their crap at everything that >>> looks at >>> least remotely like a mail address. >> I agree. Technically, VRFY is implemented as RCPT TO without all >> the baggage of a mail transaction. The difference is that >> smtpd_client_recipient_rate_limit does not apply to VRFY, but that >> is easily fixed (I just copied some code from the RCPT TO handler). >> >> Wietse >> > > I seem to remember that allowing VRFY meant spammers could > brute-force valid recipients; perhaps this was long ago and it is no > longer true. > >
In the old days, spammers used VRFY dictionary attacks to collect valid addresses. Then admins started disabling VRFY and spammers switched to using RCTP TO, which gives them the same information. My impression is that spammers now collect addresses other ways -- web harvesting, viruses that steal address books -- and classic dictionary attacks are seldom used anymore (with email). There is no longer any particular reason to disable VRFY, nor any particular reason not to. Disabling it doesn't protect you from anything, leaving it on doesn't add anything particularly useful. -- Noel Jones
