I have two comments to the section security considerations:
Sending out an automated reply with "Re: " and the subject is dangerous.
Many mailing lists verify the mail address by sending a mail with a key
in the subject. Simply replying to such a mail confirms you want to
subscribe to it. If people use vacation, it is easy to subscribe them
to a spam list and prove that it *is* opt-in by keeping the confirmation
and throwing away the original faked subscription request.
Mail systems should be allowed to bypass the time if the database to
remember senders becomes too large. I suggest to allow the implementation
to expire entries if the number of different senders becomes too big.
The draft could set a minimum database size. Say 100 or 1000 different
senders must be remembered, but implementations may store more.
As I noticed, the draft ist expired. Any plans to bring it back?
Michael