On Thu, 21 Jul 2005, Daniel Taylor wrote:
This is a large part of the benefit that we see from SPF at VocaLabs.
Though it is really annoying when some people (rr.net) send you
DSN bounce messages (rr.net) for messages that fail SPF on your
domain because they were originated by a virus factory on their
(rr.net) domain. So determined are they to get the mail through,
that our admin accounts get several of these a day, apparently
bounced multiple times by the degree of nesting involved.
Simply unbelievable. If I've told them the message isn't
from me, I obviously don't care if they couldn't deliver it.
It is not the system checking SPF sending the DSNs, but the
system connecting to it. It should send the DSN, because you
may a naive user trying to forge your own domain on the rr.net system,
or have a mistake in your SPF record. And even if they wanted to,
the connecting system has no way to distinguish SPF rejects from
other kinds of rejects (new SMTP error code?)
If your system implements SES (or SRS in sign everything mode),
then it is easy to ignore all the forged bounces and bounces of forgeries.
The remaining problem is RFC ignorant systems that send replies rather than
DSNs - grrrr, the biggest culprit being virus scanners.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.