From: Yakov Shafranovich <research(_at_)solidmatrix(_dot_)com>
spam messages have valid MAIL FROM's. That means that bounces will
go the the spammer. This has significant ramifications for C/R
systems (especially auto-respond ones) since it means that should
they have to, spammers could respond to challenges.
I believe that we mentioned before, that if the sender's system supports
C/R and keeps track of all outgoing messages, then it can compare the
X-CR-Recipient: header against the list of email addresses this user send
email to. This avoids the problem of spammers using a real email address
for the FROM addresses. However, if the spammers themselves are operating
the mail servers there is nothing we can do but at the last we would know
where the email came from and we can track it down.
If spammers have valid return addresses, then what distinguishes challenges
of their mail or their responses from the same for anyone else?
Are you assuming that legitimate mail comes only the system named
by the sender domain? That restriction is similar to but stronger
than the basic RMX assumption.
Are you expecting not only that distant users will respond to challenges,
but that their ISPs will modify their MTAs to maintain databases of
all addresses to which their users have sent mail? If so, that
seems...implausible.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg