Paul Smith wrote:
[snip]
Can it? Day 234 is after 019 isn't it? Given that the remote server
has no way of knowing how long the sending MTA has specified for
allowing bounces, this is an assumption that can't automatically be made.
Also, it would be easy for a spammer to just send a message from
batv1=1020bibble=user(_at_)example(_dot_)com
The receiving mail server can't check that 'bibble' isn't a valid
signature, so it would accept the message. In any case, a spammer
would just send it from user(_at_)example(_dot_)com, as the recipient has no way
of knowing that the sender address should be signed.
and if a signature is too short (user-part length limitations), then it
won't take long to break.
So, the remote server gains absolutely no benefit from BATV.
Agreed.
That's fine, as it doesn't seem that the remote server is supposed to
gain any benefit. It's the spoofed domain's MTAs which can gain the
benefit.
but then why standardize the format? anybody can use "internal aliases"
of any form (aka disposable addresses).