ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Bounce/System Notification Address Verification

2005-06-28 09:57:05
from [Valdis . Kletnieks] [Permanent Link] 
On Tue, 28 Jun 2005 11:21:02 EDT, Hector Santos said:

If you are going to do selective quoting to nitpick and point out whatever
you want, without reading related comments in the message and/or other
thread fibers, then I will begin to ignore your replies.


It is generally considered good e-mail etiquette to trim extraneous material,
so that an ensuing thread doesn't keep re-quoting it.  Having said that, I'm
hereby re-quoting the material *YOU* excised, which is the point of this thread:

(Please feel free to re-cite material that is *directly* relevant to the 
*specific*
point under discussion, namely the concept of skipping a postmaster@ on a 
CVB...)

On Mon, 27 Jun 2005 21:10:38 EDT, Hector Santos said:


MAIL FROM:<postmaster(_at_)domain> means "send bounces to
postmaster(_at_)domain", NOT "no bounce needed".



In regards to a CBV,  a postmaster(_at_)domain is skipped.



a) This is codified in a standard, where, exactly?


A perfectly valid question regarding a CBV - is there any standard that says
a postmaster is skipped?  If not, you're arguing from "one/several 
implementations
happen to do it that way", and will need to justify why this behavior is done.


b) This provides spammers a easy way out by sending with MAIL
FROM:<postmaster...'


Particularly in light of the fact that the scheme has a big "SPAMMERS, DO THIS
TO EVADE" hanging all over it...


c) Wander over to www.rfc-ignorant.org and see all the sites that *don't*
properly support 'postmaster', so the assumption that "We won't check it 
because
we "know" it's operational" is severely b0rked.


Combined with the fact that enough sites in fact manage to *not* support 
"postmaster"
in violation of the RFCs that automatically white-listing it is a bad idea.

So we have a non-standard practice, combined with an obvious exploit, and of
dubious actual usefulness in a real world that has difficulty following the 
*current*
standards.  If you have a concrete technical explanation of why it's *still*
a good idea in face of all that, let us know....

Attachment: pgpvVzSGpMYih.pgp
Description: PGP signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Bounce/System Notification Address Verification, Hector Santos
Next by Date:  Re: Bounce/System Notification Address Verification, Valdis . Kletnieks
Previous by Thread:  Re: Bounce/System Notification Address Verification, Hector Santos
Next by Thread:  Re: Bounce/System Notification Address Verification, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]