|
Re: private key BATV is useful
2008-05-19 09:00:09
John R Levine wrote:
For BATV to be useful, a domain would have to be able to say that all
messages from that domain must have BATV tags. I can't see anything
in the spec to cover that requirement. Otherwise a spammer will just
send messages without BATV tags, and BATV will achieve nothing other
than upsetting some legitimate mailing lists...
The main goal of BATV is to deal with bounce blowback, that is, DSNs
due to spam sent with forged return addresses. If your domain is
popular among spammers, blowback can be a serious issue. On a bad
day, my abuse.net domain gets 400,000 bounces for mail it didn't send.
The only thing prvs accomplishes is to let you tell whether an
incoming bounce was sent in response to a message you actually sent.
If you know that you sign all your own mail, you can be reasonably
sure that bounces to signed addresses are real, and bounces to
unsigned addresses are fake, give or take the edge cases we've been
discussing.
Ah, OK, I was misunderstanding the point of BATV. Maybe it should be
made clearer - looking at the introduction to the BATV spec, it seems to
be saying that BATV is useful for deciding whether to SEND a bounce
message, not whether to ACCEPT one. Obviously (to me, at least) private
key BATV is useless for deciding whether to send a bounce message, since
you have no way of checking the key.
I'm still not really sure about this. So, what you are saying is that if
I used BATV, and I got a message with a null return path, and an
unsigned recipient address, I could decide to reject/discard it?
But, I can't reject anything unless it has a null return path - so, what
if the bounce message hasn't got a null return path? (I know they SHOULD
have, but some ISPs won't relay mail with a null return path, so bounce
messages going through those have to be massaged to have a non-null
return path, eg 'no-reply@' or similar)
Similarly, what if a message comes in which has a null return path, but
used a 'reply-to' address or similar as the recipient instead of the
return path (eg some autoresponders may do this).
I can't tell if a message is ACTUALLY a bounce message unless I get the
content of the message (by which time a lot of the benefit is lost) and
even then it's hard to do since most bounce messages don't conform to
the MDN standards.
--
Paul Smith
VPOP3 - POP3/SMTP/IMAP4/Webmail Email server for Windows
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: BATV pseudo-Last Call, (continued)
- Re: BATV pseudo-Last Call, ned+ietf-smtp
- Re: BATV pseudo-Last Call, Dave Crocker
- Re: public key BATV isn't useful, John Levine
- Re: public key BATV isn't useful, Alessandro Vesely
- Re: public key BATV isn't useful, Paul Smith
- Re: private key BATV is useful, John R Levine
- Re: private key BATV is useful,
Paul Smith <=
- Re: private key BATV is useful, mouss
- Re: private key BATV is useful, John R Levine
- Re: private key BATV is useful, mouss
- Re: public key BATV isn't useful, Tony Hansen
- Re: public key BATV isn't useful, Paul Smith
- Re: public key BATV isn't useful, Dave Crocker
- Re: public key BATV isn't useful, Paul Smith
- Re: public key BATV isn't useful, Paul Smith
- Re: public key BATV isn't useful, Douglas Otis
- Re: BATV pseudo-Last Call, Alessandro Vesely
|
|
|