Re: [ietf-smtp] homework, not an experiment, draft-crocker-email-deliver

On 8/3/2021 11:36 AM, Viktor Dukhovni wrote:
> On Tue, Aug 03, 2021 at 10:29:31AM -0700, Dave Crocker wrote:
>
> > > The "Delivered-To" address is an internal representation of the target
> > > mailbox (for loop detection), and is not intended for consumption by
> > > MUAs or tools like fetchmail.
> > An abuser sends a single message that contains a Delivered-To and might
> > then trigger a bounce back to the return address.  This is a one-for-one
> > effect.  To be interesting, the attacker needs to send many of these
> > addresses, to produce many of these bounces.  Yes?
>
> Even without any amplification, the risk is that the bounces can
> leverage and harm the reputation of the server that returns the bounces.
Email abuse is a complex space, with a rich array of attacks and defenses.

That makes it dangerous to take a single theoretical example, like this, 
and project significant effects, and especially dangerous to then pursue 
common, pervasive protection mechanisms against it.

> The spammer gets to abuse an IP address from which he is not directly
> able to originate email.
Not exactly a new issue.


> In any case, the intended consumer of Delivered-To is the MTA, not an
> MUA.
Yes.  But I don't see how that affects this issue, here.

d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp