On Thu, 26 Aug 2004 14:25:21 -0700, Jim Lyon
<jimlyon(_at_)exchange(_dot_)microsoft(_dot_)com> wrote:
Mark Shewmaker point out that if you have an SMTP transaction for which
*all* of the following are true:
1. The sender didn't use SUBMITTER, and
2. There is more than one recipient, and
3. The SenderID test fails, and
4. Your MTA implements a per-user white list for SenderID failures, and
5. At least one recipient white-listed the PRA, and
6. At least one other recipient didn't white-list the PRA, and
7. You feel it's immoral to silently discard forged mail
then you need to generate a bounce (instead of rejecting a message).
He's right. But it's such a corner case that I'm not worried. This
should be a very small fraction of the mail, and won't generate very
many bounces at all.
In my experience (which might not be typical, as I'm in a computer
science department), this case is actually fairly common. In all of
the university environments I'm familiar with, different people have
very different opinions about how they want spam filtered. It's also
the case that mail to certain addresses--especially mailing lists--is
filtered more stringently, and mail to other addresses--particularly
addresses to which users report bugs--is filtered far less
aggressively if at all (so as not to reject bug reports about mail).
Now two things:
1. A significant fraction of the spam I get seems to have been sent
to more than one user at the same host.
2. I don't think it's immoral to discard mail silently, but I think
it's highly problematic (having on occasion lost a very important
piece of mail). It might be immoral to bounce mail to a forged
address, but a lot of people do it anyway because they fear losing one
important message silently. In fact, I have to say I am guilty of
this, though I try to reject most of my mail in response to the SMTP
RCPT command, not after the fact. SPFv1 is one tool that allows me to
do this.
That said, I actually don't agree that you need to generate a bounce
when your cases 1-7 exist. The alternative, when you have multiple
recipients with different policies, is to reject all but the first
RCPT command with a 4xx error code, With typical SMTP clients, this
has the unfortunate side effect of delaying mail for some recipients
for (typically) tens of minutes. But, if we are talking about
extending RFC2821 anyway with things like SUBMITTER, one might
consider some kind of error code that means "send a separate copy of
message to this recipient immediately."
David
P.S., On a related note, I sent a detailed message from my nyu.edu
address to the list with some questions/concerns about the
implications of the MS license for projects in academia. That message
appears to have been silently discarded! Is this possible? This is
exactly why I hate silently discarded mail... I don't know whether to
try re-sending from my gmail account or not.