Michael Haardt wrote:
This is obviously a problem, but the fix is not quite obvious. The
obvious thing to do is to change the subject to whatever, but that's not
clearly the right thing to do, because it loses context of the original
message. We could specify that this happens unless a List-* header is
present or unless Auto-Submitted is not present or set to no (I have no
idea if this header was ever documented).
Neither would stop spammers saying: "We use opt-in with address
verification, and you did verify your subscription request". They won't
be stupid enough to make their newsletter system look like a regular
mailing list, because they *want* vacation responses to be sent in order
to gain subscribers.
Why would they bother claiming opt-in? It wouldn't be worth exposing
their SMTP servers to obvious attack; most people do not have a vacation
command in place most of the time; and it's easier to just lie big
instead of lie small.
I think you guys have already hashed out the court arguments on this,
but I'll note that if it's going to go to the courts, we have to assume
that they have some common sense; if we can't do that, then we can't
rely on the courts to make those decisions, and perhaps vacation just
can't be used at all.
I added verbage stating not to reply to Auto-submitted messages (wasn't
there, I was surprised), so in any case, there's an obvious fix for
mailing list managers that aren't covered by List-* headers, owner-*,
*-request, etc.
I will re-publish the draft tonight.
Tim