On Wed, 09 Jun 2004 01:05:44 +0200, Markus Stumpf said:
What I am missing in the draft is that the problem arises from
two distinct types of "bounces" that need different handling:
1) are "real bounces" in the sense of NDN (DSN rfc1894).
2) are autogenerated messages from virus scanners
Both use an empty RFC2821.MAILFROM ("<>"). However I'm not happy
with the wording in the draft that equals empty envelope senders
and bounce messages:
Recent viruses take advantage of bounce messages to spread. They
forge the "reverse path" of the messages they send. Some even
send fake bounce message.
With that wording autoresponder messages (like vacation notifications)
using <> as 2821.MAILFROM also send "bounces" which is IMHO not true.
ooooh... Good catch ;)
A similar situation arises with LSoft's Listserv product - it sends many of its
automated replies with MAIL FROM:<> as well. The theory is that if you get a
'subscribe' request', and you send the purported user a confirmation cookie,
there's exactly zero value in getting back a bounce for that mail saying the
purported user doesn't exist, because we'll just auto-expire that cookie in 48
hours or so anyhow...
Description: PGP signature