It's hard from the current drafts to figure out when exactly it is
appropriate to send mail to the PRA of a received mail message. I'm
guessing this is because the authors are relying on previous RFCs for
this. However, given that a lot of people are already confused by the
distinction between envelope and From: address, there is a danger that
the introduction of a third address would lead to an even larger
number of broken vacation-type programs.
I'd like to suggest that the Sender ID (or maybe the PRA or SUBMITTER)
document have somewhere a non-normative paragraph that clues people in
to how they can learn about appropriate uses of the PRA. As an
example, here are a bunch of questions whose answers are not
immediately obvious from reading Sender ID and associated drafts:
* Is it ever actually required that the PRA be a valid mailbox? Is it
legal to construct some mailbox whose domain has an SPF2 record but
not an MX or A record? I presume the answer is no, but that the
logic involves some other RFC I'm just not looking at. How would
you go about convincing an administrator this is wrong.
* I am on vacation, and receive mail which lists my own address in the
To: or CC: fields, and does not have any indications such as
"Precedence: list/bulk/junk" that it is from a mailing list. I wish
for my filter to notify the sender that I will not be responding for
a week. Should I send the notification to the MAIL-FROM address, as
I currently do, or to the PRA?
* I receive mail with an attachment that contains a virus. I wish to
configure my MUA or spam filter automatically to notify the sender
that his/her machine has a virus and the attachment has been
deleted. Should I send mail to the PRA? Can/should that mail come
from the empty envelope sender, or should/must it come from my real
email address?
* I have been erroneously subscribed to a mailing list. Should I
complain directly to the PRA? Should I attempt to form a new
address by appending "-owner" or "-request" to the local part of the
PRA? Or should I complain to an address based on the envelope
sender, as I currently would.
* I receive offensive and/or threatening mail from someone, and wish
to complain to their administrator. Should I complain to
postmaster/abuse at the domain name in the PRA, as opposed to the
domain in the From or envelope sender address?
* In order to reduce spam, I currently perform an SMTP callback on the
envelope sender of mail, ensuring that any mail I accept could have
been bounced. (This is highly effective against spam from
virus-infected machines, because many machines infected by viruses
can make outgoing TCP connections but not accept incoming ones, and
thus are forced to use other people's often invalid envelope
senders.) In case of forgery, people can block these callbacks by
using SPFv1 records. Once we have Sender ID, should I instead
perform SMTP callbacks to validate the SUBMITTER or PRA address
rather than MAIL-FROM, so as to avoid wasting bandwidth of sites
whose addresses are being forged?
David