Re: Is predictable spam filtering a vulnerability?
On Fri, 18 Jun 2004, Jon Fiedler wrote:
> >In my opinion, any spam filter that silently drops e-mail is broken, and
> >is indeed a security risk. A spam filter MUST respond with a 500 SMTP
> >failure code if it rejects a message.
> This ignores client side spam filters,
Client-side spam filters that silently drop e-mail are broken. They
should generate a non-delivery notification.
Of course, that leads to all kinds of other nasty problems, so I've
concluded that client-side spam filters in general are broken, and the
only proper way to do it is on the server, and only by failing the
SMTP transaction.
> and doesn't really change the
> attack. The 500 message would be sent back to A, but not B, so B is
> still in the dark about C not receiving the emails.
No; B would get the failure message, because B is the envelope sender.
Regards,
David.