ietf-mxcomp
[Top] [All Lists]

RE: DEPLOY: Legal liability for creating bounces from forged messages

2004-08-26 13:12:31

Regarding silently discarding messages, Chris Haynes writes:

Actually I was advocating (2) [silent discard] - but only
in the special case when the Mail-From entity has declined
responsibility for the message by causing a test 'fail'. 

In other words, Chris believes that it's OK to silently discard mail
when you believe the bounce address is forged, but not when the PRA is
forged.

I submit that, as a matter of practice, people who forge one also forge
the other.  Also as a matter of practice, checking the PRA will produce
fewer false rejections than checking the bounce address will.

Chris also disputes that there is any legal basis for silently
discarding mail at all.  He's right that RFC 2821 requires that every
message be delivered, rejected or bounced.

However, see draft-zinn-smtp-bounces-01, which explicitly authorizes
silent discards. (I know, it's not a standard.  Yet.)  See also RFC
3834, which deals with automated responses in general (including
bounces) and says:

   -  A responder MAY refuse to send a response to a subject message
      which contains any header or content which makes it appear to the
      responder that a response would not be appropriate.

RFC 3834 is now a Proposed Standard.

Quoting Chris again:
You claim in (2) that the drafts give authority for MTAs to silently
discard messages. I cannot find that authority in the drafts.

In the SenderID drafts, the only requirement imposed is that if an MTA
performs SenderID tests during a mail transaction and the test fails, it
SHOULD reject the message.  This leaves open two possibilities for
silent discards:

1. An MTA might ignore the above SHOULD (after all, it's not MUST).
2. An MTA might perform the tests after receipt, in which case the specs
impose no requirement on what the MTA does.


-- Jim Lyon