On Thu, Aug 19, 2004 at 07:08:42PM +0100, Roy Badami wrote:
|
| Really? draft-mengwong-spf-01 permits rejection of a message with a
| 550 reply code if the SPF check fails, and that's what most
| implementations seem to do.
|
| If you reject an SMTP transaction due to an SPF failure, then the
| up-stream MTA is likely to generate a bounce to a forged address.
1) If the sender is an MTA sending on behalf of a legitimate
sender, then the rejection is, in spirit, a false positive.
The rejection is a good thing because it informs the
legitimate sender that their message didn't get through.
2) If the SMTP sender is a virus, then the rejection does not
cause a nondelivery notification, and there is no problem.
3) If the sender is an MTA sending on behalf of a virus, the
nondelivery notification is generated by that MTA, and it's
the fault of that MTA for being gullible. If the message
had been rejected for some reason other than SPF, for
example due to over-quota at final delivery, the forged
sender gets backscatter anyway.
| As far as I can see, all MARID schemes are likely to increase
| backscatter. In fact, anything that cause more mail to be SMTP
| rejected will increase backscatter.
Scenarios 1 and 2 are desirable.
Scenario 3 is no worse than the current situation.
Scenario 4 is avoided: the SMTP sender is a virus, the
receiving MTA accepts the message, and sends a message to
a bogus return path.
The benefit from stopping 4, plus the benefits of 1 and 2,
are worth the costs of 3, which is net no worse than the
"priors" anyway.
Therefore a scheme which checks mail-from is not proven to
increase backscatter, and it is not true that anything that
causes more mail to be SMTP rejected will increase
backscatter.