lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 7 Feb 2008 10:31:25 -0500
From: Chris 'Chipper' Chiapusio <chipper@...mas.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: What makes Yahoo! a good merger candidate?

On Wed, Feb 06, 2008 at 11:40:06AM -0600, Paul Schmehl wrote:
>
>They're also the first mail server I've ever connected to that won't accept 
>user@...ain.tld and insists on <user@...ain.tld> instead.  So, I'm not 
>surprised to find that they 250 everything you type in.
>
>I guess RFCs are even more meaningless now than they always have been.   :-(

Please review http://www.faqs.org/rfcs/rfc2821.html to fully understand a
modern SMTP transation, I've included the appropriate excerpts for this
thread:


3.3 Mail Transactions
[...]
    The first step in the procedure is the MAIL command.

       MAIL FROM:<reverse-path> [SP <mail-parameters> ] <CRLF>

    This command tells the SMTP-receiver that a new mail transaction is
    starting and to reset all its state tables and buffers, including any
    recipients or mail data.  The <reverse-path> portion of the first or
    only argument contains the source mailbox (between "<" and ">"
    brackets), which can be used to report errors (see section 4.2 for a
    discussion of error reporting).
[...]
    However, in practice, some servers do not perform recipient
    verification until after the message text is received.  These servers
    SHOULD treat a failure for one or more recipients as a "subsequent
    failure" and return a mail message as discussed in section 6.  Using
    a "550 mailbox not found" (or equivalent) reply code after the data
    are accepted makes it difficult or impossible for the client to
    determine which recipients failed.


Tell us again how Yahoo is not adhering to the RFCs.  While quoting RFC's to
this list is fairly lo-tech, people really should check fact before making
a blatanly foolish statement about one of the largest email providers in
the world.  Strict adherence to RFC is the first and simplest step in
fighting spam.

>Who knew.

Indeed.
>
>-- 
>Paul Schmehl (pauls@...allas.edu)
>Senior Information Security Analyst
>The University of Texas at Dallas
>http://www.utdallas.edu/ir/security/
>

Chris 'Chip' Chiapusio

-- 
------
				**** Warning ****
This e-mail message, without warrant or warning, and despite US law as set
forth in the Foreign Intelligence Surveillance Act of 1978, may be subject
to monitoring by the United States National Security Agency and/or the
Department of Defense. Information contained in this message may be used
against any senders or recipients, now or in the future, in a public trial
or secret tribunal.
                       Please encrypt anything important.
    PGP Key: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0x6CFA486D

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ