On Nov 15, 2007, at 11:41 AM, SM wrote:
At 10:02 15-11-2007, Douglas Otis wrote:
The TBR extension can:
1) without burdening the receiver
a- provide a valid identity of origination
b- eliminate back-scatter
It may eliminate backscatter but it introduces a new problem, i.e.
it can be used to stage attacks using HTTP.
Only to HTTP servers located within the "_tbr." subdomain. This will
not impact other websites. In addition, fairly straight forward anti-
abuse measures can be applied, and are recommended in the draft.
5) protect valid email-address confidentiality
See Section 7.6 of RFC 2821 about information disclosure in message
forwarding.
This was not the concern. An attempt to send to an invalid recipient
is likely to return an error which may indicate their non-existence.
Dropping any acknowledged message will have the effect of lowering
email's delivery integrity. For those messages being handled by
incoming filtering services, RFC8221 section 4.2.5 Reply Codes After
DATA and the Subsequent <CRLF>.<CRLF> requires either the message be
delivered, or a DSN be made. These services will either produce a
flurry of backscatter, cause messages to be lost, or permit valid
recipient addresses to be discovered. The TBR extensions is better
able to obfuscate whether a message was refused due an opinion of the
origination, or due to an invalid recipient. Seeing a series of
invalid recipients would be a clear indication of this being abusive.
Any lucking guesses can be expunged when a short hold is placed upon
suspicious points of origination.
-Doug