On Jan 07 2005, Michael Kaplan wrote:
To once again clarify how erroneous bounces will be filtered: Any
email system that allows a user to generate a white list will be
able to readily generate a 'bounce white list' composed of all
addresses that the user had sent mail to within the past few hours.
The bounces generated by my system will be identified as bounces by
a universally recognized tag. The user will only see the bounces
that are contained on the bounce white list.
The mail transport system will see, store, and analyse all the bounce
traffic regardless. Who are the beneficiaries? Individual mail
users. Who are affected indifferently or negatively? ISPs, admins,
software developers intending support. Who is in a position to
implement the proposal? The latter group. Who does need convincing?
I believe that this human interaction is as limited and as
non-disruptive as it can possibly be while still maintaining an
extreme degree of efficacy. A solution that provides similar
efficacy while requiring zero human interaction would be far
superior, but this "solution" just doesn't seem to exist.
What are the prospects for user-side automation?
If X sends out a weekly newsletter to thousands of people, most of
whom use your system, then X receives thousands of bounce messages
back, requiring individual CAPTCHA decoding, followed by individual
resending of the message, does it not?
Anyway the world would be a better place if a standard was adopted
so that every bounce-like message (such as my system, traditional
C/R systems, vacation messages) came with a universally recognized
tag. Then my bounce white list filtering system would prevent
everyone from getting any kind of erroneous bounce.
Emails are sent through SMTP servers in the clear.
How does your system fare against snooping attacks, wherein any
relevant information such as sender + receiver's email addresses are
routinely harvested from archives, hacked and proxied servers, and
spyware infested computers, and fake bounces are sent back to each
identified sender, containing a spamvertizement? These fake bounces
are always whitelisted, are they not?
What is the effect of harvesting correct subaddresses by searching for
the replies to the CAPTCHA bounces, wherein the correct subaddress is
visible in the clear?
What is the effect of bouncing the CAPTCHA bounce back to the CAPTCHA
bouncing recipient, with or without another CAPTCHA attached?
-- Laird Breyer.
Asrg mailing list