On Sun, 2009-05-10 at 17:00 -0700, Kelly Jones wrote:
> When one of our customers emails someone, we whitelist the recipient
> address so that the return email won't be blocked [1].
> [1] We realize this is imperfect: eg, the recipient might reply from a
> different address.
There's another aspect, why this might be imperfect.
In the case of mail sent from A to B, both at the same domain, both of
them might be in the same list of addresses of a spammer. I've more than
enough samples sent to A, B and C as per the SMTP RCPT TO.
I've sufficient samples where one of them also is being forged as the
sender.
So unless you absolutely ensure (at the very least by policy) that mail
from that domain must be sent through your server, you are potentially
white-listing the entire, own domain. Which, given the recent-ish From
equals To obviously isn't a good idea to do for mail from untrusted
hosts. ;)
BTW, your customers don't ever send mail to themself, do they?
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
