On Tue, Aug 03, 2021 at 10:29:31AM -0700, Dave Crocker wrote:
The "Delivered-To" address is an internal representation of the target
mailbox (for loop detection), and is not intended for consumption by
MUAs or tools like fetchmail.
An abuser sends a single message that contains a Delivered-To and might
then trigger a bounce back to the return address. This is a one-for-one
effect. To be interesting, the attacker needs to send many of these
addresses, to produce many of these bounces. Yes?
Even without any amplification, the risk is that the bounces can
leverage and harm the reputation of the server that returns the bounces.
The spammer gets to abuse an IP address from which he is not directly
able to originate email.
In any case, the intended consumer of Delivered-To is the MTA, not an
MUA.
--
Viktor.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp