Douglas Otis wrote:
There is a real risk SPF might be used as basis for acceptance
You can combine white lists with SPF PASS as with DKIM "PASS",
the risk is very similar.
Much of the danger of auto responses has to do with DDoS
concerns.
It depends on the definition of "DDoS". From my POV as POP3
user over a V.90 connection 10,000 unsolicited mails are just
bad, no matter what it is (spam, worm, DSN, or auto-response).
It's not really a "DDoS". SPF at least helped me to get rid
of the bogus DSNs and other auto-responses since three years,
smart spammers are not interested to forge SPF FAIL protected
addresses.
BTW, I think the definition of "Joe job" in the sieve EREJECT
draft is obsolete, the mere abuse of "plausible" addresses is
no "Joe job" and IMO also not a real DDoS. But it's certainly
bad for the victims, it can be bad enough to make a mailbox
unusable for some victims.
A safer approach would be to format all DSNs per RFC3464 and
remove original message content.
I'd hope that a majority of receivers already does this, that's
state of the art for some years now. Or rather "truncate" is
state of the art, not complete removal of the body.
Mailman made a mistake where an error caused a DSN that returned
original content without first verifying the validity of the
return path.
Auto responders aren't in a good position to verify the validity
of the return path. Good positions to do this are the MSA based
on RFC 4409 and later the MX based on RFC 4408.
Frank
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf