Gentoo's QMail package currently accept non-existent users. i.e, when connected to a SMTP server which is running QMail on a Gentoo box, the following is not rejected with an error 550: RCPT TO:<non-existent-mail@mydomain.org> Malicious users can set up the Return-Path: field of their mail enveloppe so that when the MAILER-DAEMON bounces (because QMail finaly realizes no such user exists, when it's too late) it spams a real e-mail address. Reproducible: Always Steps to Reproduce: 1. telnet somesmtpbox.domain.com 25 2. HELO spam.com 3. MAIL FROM:<poor.victim@otherdomain.com> 4. RCPT TO:<non-existent-user@somesmtpbox.domain.com 5. ... Actual Results: The poor victim gets spammed, domain.com's mailbox is full of bounces which failed in case the victim's e-mail address was wrong, and eventually domain.com's admin can have some serious problems if the victims get bored. The solution: applying the badrcptto patch. See http://patch.be/qmail/
The latest badrcptto patch is here: http://sys.pro.br/files/badrcptto-morebadrcptto-accdias.diff.bz2 and should be in -r12 of qmail when I do the rediffing needed. badrcptto is also not a proper solution to the problem. as it would require you list each non-existent-user@somesmtpbox.domain.com in badrcptto. Now you get a spammer trying random combinations for 'non-existent-user' and that file becomes huge.
ok the patch is in -r12 now. I also looked at the SMTP rfcs regarding your statement that error 550 should be returned for those cases. The RFCs note that a 550 error code MAY be returned, but makes no requirement on this. The reasoning behind this is quite simple. While in the trivial case a mail server may known what accounts exist and do not exist, this does not hold true for a great many cases. The overhead that is imposed on doing a user lookup before accepting the mail is quite unjustified in many cases, and in some cases, just impossible to implement.
