And I think that things that don't include any of the text
should be treated like... a fresh message. Which means that
the vacation program owner should sign its messages. Since
it's not relaying potentially spamful text, I don't see how
this raises to the level of the bounce reflection attack
which takes advantage of that property.
The problem with bounce blowback isn't that the bounces are forged,
because they're not. They're real bounces (or vacation messages or
whatever) responding to bogus messages. The point of BATV is to detect
that the real vacation message is a response to a bogus original.
The problem with blowback isn't that the individual messages are
dangerous. It's that there's so many of them. On a particularly bad day
I've gotten 300,000 bounces due to spam with forged abuse.net addresses.
Now it's down to about 5000 a day, but that's still 10% of my incoming
mail on that server, so it's quite useful to be able to detect and reject
that much useless mail with essentially no false positives.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.