On Tue, Aug 03, 2021 at 05:42:23AM -0700, Dave Crocker wrote:
On 8/2/2021 7:25 PM, Viktor Dukhovni wrote:
Some abuse of Delivered-To to trigger bounces has been reported now and
then,
The thread you cited only describes the abuse as:
If mail arrives for a recipient that is already listed in a
Delivered-To: header, the mes- sage is bounced.
I'm not understanding.
Since Delivered-To is meant as an indication about the message
containing the Delivered-To, I'm not understanding what the 'already
listed' reference means.
"Already listed" here means deliberately injected by spammer, even
though the message is fresh and had never previously been delivered to
the mailbox.
It seems odd that a spammer would send a message designed to be
rejected, other perhaps for generating problematic bounces.
Designed to be *bounced* (not rejected), at least in the case of Postfix
loop detection happens after the message is accepted, because mailbox
delivery is always asynchronous (from the queue).
So a miscreant abusing "Delivered-To" can cause the receiving system
to emit lots of bounces to a forged envelope sender address.
The "Delivered-To" address is an internal representation of the target
mailbox (for loop detection), and is not intended for consumption by
MUAs or tools like fetchmail.
--
Viktor.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp