Re: [ietf-smtp] homework, not an experiment, draft-crocker-email-deliver

Viktor Dukhovni writes:

> > On 2 Aug 2021, at 9:34 pm, John Levine <johnl(_at_)taugh(_dot_)com> wrote:
> >
> >> In particular, it is not unreasonable for the LDA to record an encoded
> >> HMAC of the recipient address in the localpart, thereby making more
> >> difficult abuse of "Delivered-To:" to elicit bounces of the message to
> >> the purported envelope sender (because it is then harder for the
> >> attacker to predict the magic "Delivered-To:" value).
> >
> > Huh, interesting point.  Do you know of an LDAs that actually do that?  If  
> so we should
> > add it to the description of the existing practice if we do a draft.
> >
> > When I look at Postfix and qmail, they both appear to use the plaintext
> > locally rewritten recipient address, which may not make much sense to
> > software other than the MTA.
>
> Some abuse of Delivered-To to trigger bounces has been reported now and
> then, and the idea of obfuscated Delivered-To: had been discussed, but
> has not yet been implemented.  The freedom to do that some day remains.
>
> https://mailing.postfix.users.narkive.com/RMb6WBxb/delivered-to-message- 
> header
I don't see anything intrinsically wrong with this, by itself. It's better  
than nothing. But if the actual goal is to prevent proxy DDOSes, this should  
be addressed directly: no bounce should be sent via SMTP for mail that was  
accepted via SMTP.

pgp5AlnvCtRVv.pgp
Description: PGP signature

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp