If we have consensus on this, it'd be nice to do an I-D on it. How to
do Vacation correctly comes up about once a year.
Okay, how about an I-D on automatic responses to email?
offhand, seems like it should discuss the following:
I. Introduction
- discuss the need to specify recommendations for behavior
of automatic responses - e.g.
avoid sending useless/unwanted responses
avoid sending responses to the "wrong place"
avoid mail loops and sorcerer's apprentice syndrome
II. Types of automatic responses
- distinguish between automatic responses and DSNs and MDNs
(which are covered elsewhere)
- distinguish between mail robots whose response is anticipated
by the sender (sender sends to that address knowing that it will
automatically respond), vs. mail robots that respond on behalf
of a human recipient:
- mention a few different kinds of automatic responses -
- mail robots that accept requests from humans and send back responses
(e.g. subscribe to a list, retrieve a file,
convert this fortran program to c)
- out-of-office notices (that don't reply to every message)
- use of email to communicate between two applications
- anti-spam responses (e.g. you must reply showing signs of
intelligent life before I'll read your previous message)
- virus scanners
III. Format of automatic responses
- envelope return address (avoid loops!)
- headers (to, from, subject, auto-submitted)
- content (should probably limit size, content to limit
DoS attack potential - e.g. should not allow sender to
use the responder as a relay for viruses)
IV. When to send automatic responses
general: care should be taken to avoid sending needless or
redundant responses
examples:
- mail robots that accept requests and issue responses
- presumably, one response for each request
- out-of-office notices
- avoid sending multiple responses within N days
- avoid sending responses unless recipient is in to/cc/bcc field
- communication between applications
- anti-spam responses
- should not be issued for each message sent
- virus scanners - only the first time a sender sends a virus
V. Where to send automatic responses
return-path header field. if it's not valid, don't respond!
if no return-path header field, *your* mail system is broken. fix it.
why use of other fields is generally a bad idea:
- reply-to - sender sets reply-to based on the *anticipated*
response of a human recipient to the content of a message,
automatic response probably doesn't qualify.
sometimes reply-to goes (directly or indirectly)
to large #s of people - responder should not assume
they all want the response.
- from - indicates the person/persons on whose behalf the message
is sent - doesn't necessarily mean they want to see replies.
a human may redirect manual/personal replies using reply-to,
automatic replies should still not go to from.
- sender - not really intended for replies, not guaranteed to be
valid - often misued by setting to list address
- to and cc - responder should not assume that other recipients
of the subject message need to see response.
also, any address in the to, cc, from, reply-to field might be
the address of a list for good and valid reasons - return-path
is the only address which is intended to receive automatic responses,
and it's reasonable to expect the sender to set that address
correctly (in SMTP MAIL FROM)
VI. security considerations
- DoS attack through mail loops
- DoS attack through large #s of requests
- DoS attack by using responder to flood large #s of mailboxes
- attack by using responder to relay harmful/abusive content
- requests by unauthorized parties
anything else?
Keith