Greeting card sites, "refer a friend" sites and the like can still be
accountable, at least for themselves if not for those who use
the site.
To a point, there is still a problem with any gateway that
allows unaccountable parties to generate unsolicited mail.
It is not an insurmoutable problem, but it is going to mean
that these sites need to do some work to control abusive
uses, like attempts to co-opt them in DDoS attacks.
It might be a stretch to assume that such enterprises will wish to be
accountable,
They want their mail to get through. Its like taxes, nobody thinks
they are great in themselves, but without them no government is
possible.
Based on that, if they can
use their own
identity in RFC2821 MAIL FROM or HELO or both, I won't mind
if the RFC2822
From line is different. As was pointed out by many people
myself included,
mailing lists do this already and many of us believe this
behaviour is still
possible with a scheme developed here.
That seems OK to me, provided that there is a clear indication in
the message itself that tells the recipient why it was sent.
I want to be able to do filtering at both the MTA and MUA level.
The MTA checking is simply the first cut used to decide whether
I am even going to accept the bits. Not accepting the bits is
very important because some of my customers are required to keep
all inbound and outbound communications. Some are storing several
Tb of spam per week.
But what can be done at the edge is limited, it is very difficult
to prevent phishing scams and other spam launched from zombies.
A person controlling 1000 zombies can probably send out a million
spam phishing attacks even with outband rate limiting in effect.
That is why it is necessary to make a second pass after the message
body has been accepted.
People are still going to have virus scanners etc. installed.
Phill