People in the web world are in a kerfuffle about an attack called ALPACA which (leaving out a lot of details) gets a web browser to send requests to a non-web server and then get the browser to interpret the responses in unfortunate ways. Most of the unfortunateness comes from the server replying to invalid commands and including parts of the commands in the reply. Since most mail servers will let you send a lot of invalid commands, the bad guy can splice a lot of bits of invalid command response together.
It occurs to me that real mail clients almost never send invalid commands, so if a server sees more than, say, two of them, it's not a real client, so it's better to disconnect. I don't see a parameter to limit the number of bad commands in a session. Is there one? Would it be hard to add? R's, John PS: I know this is not our problem but the web crowd can be awfully pushy.
