Read RFC 1123, section 5.2.3. 5.2.3 VRFY and EXPN Commands: RFC-821 Section 3.3 A receiver-SMTP MUST implement VRFY and SHOULD implement EXPN (this requirement overrides RFC-821). However, there MAY be configuration information to disable VRFY and EXPN in a particular installation; this might even allow EXPN to be disabled for selected lists. A new reply code is defined for the VRFY command: 252 Cannot VRFY user (e.g., info is not local), but will take message for this user and attempt delivery. DISCUSSION: SMTP users and administrators make regular use of these commands for diagnosing mail delivery problems. With the increasing use of multi-level mailing list expansion (sometimes more than two levels), EXPN has been increasingly important for diagnosing inadvertent mail loops. On the other hand, some feel that EXPN represents a significant privacy, and perhaps even a security, exposure. VRFY is hardly an "incorrect SMTP command."
Your reasoning as to why its responses to incorrect SMTP commands constitutes evidence that the .TO domain is "negligent", "mismanaged" and "an attractive resource for criminal activities" is ironically incorrect. In fact, having an *unsecured* port 25 open to mail relaying would be negligent.
Best regards,
- Eric Gullichsen Tonic Corporation Kingdom of Tonga Network Information Center http://www.tonic.to Email: egullich@tonic.to