quick comments:
1. Title is too broad. I don't think we want to try to define a complete
set of criteria for when NOT to bounce email.
2. I think it's a bit of a stretch to say that use of a false return-path
'amplifies' an attack, since the message is only bounced if it doesn't
get to the recipient.
3. I don't think it's appropriate to recommend what future RFCs should do,
since conditions will probably change before we get around to revising
those RFCs. Something will be done about the lack of authentication
in email. We don't know what it is yet. But this document is probably
a temporary fix rather than something to carve in stone.
4. Section 6 is cute, but I think it would be better to leave it out.
--
Regime change 2004 - better late than never.