ietf-smtp
[Top] [All Lists]

Re: private key BATV is useful

2008-05-19 09:00:09

John R Levine wrote:
For BATV to be useful, a domain would have to be able to say that all messages from that domain must have BATV tags. I can't see anything in the spec to cover that requirement. Otherwise a spammer will just send messages without BATV tags, and BATV will achieve nothing other than upsetting some legitimate mailing lists...

The main goal of BATV is to deal with bounce blowback, that is, DSNs due to spam sent with forged return addresses. If your domain is popular among spammers, blowback can be a serious issue. On a bad day, my abuse.net domain gets 400,000 bounces for mail it didn't send.

The only thing prvs accomplishes is to let you tell whether an incoming bounce was sent in response to a message you actually sent. If you know that you sign all your own mail, you can be reasonably sure that bounces to signed addresses are real, and bounces to unsigned addresses are fake, give or take the edge cases we've been discussing.
Ah, OK, I was misunderstanding the point of BATV. Maybe it should be made clearer - looking at the introduction to the BATV spec, it seems to be saying that BATV is useful for deciding whether to SEND a bounce message, not whether to ACCEPT one. Obviously (to me, at least) private key BATV is useless for deciding whether to send a bounce message, since you have no way of checking the key.

I'm still not really sure about this. So, what you are saying is that if I used BATV, and I got a message with a null return path, and an unsigned recipient address, I could decide to reject/discard it?

But, I can't reject anything unless it has a null return path - so, what if the bounce message hasn't got a null return path? (I know they SHOULD have, but some ISPs won't relay mail with a null return path, so bounce messages going through those have to be massaged to have a non-null return path, eg 'no-reply@' or similar)

Similarly, what if a message comes in which has a null return path, but used a 'reply-to' address or similar as the recipient instead of the return path (eg some autoresponders may do this).

I can't tell if a message is ACTUALLY a bounce message unless I get the content of the message (by which time a lot of the benefit is lost) and even then it's hard to do since most bounce messages don't conform to the MDN standards.

--
Paul Smith

VPOP3 - POP3/SMTP/IMAP4/Webmail Email server for Windows