[Greg Wooledge]
There's no way for the MTA at wooledge.org to know whether this is a
legitimate bounce message (a reply to a previous outgoing message).
Schemes like SPF which validate the envelope sender address can't
be used here either, because there is no sender address to validate.
Possible correction here: as I understand the draft, when there's no
envelope-sender, SPF uses the domain from the HELO/EHLO string. I could be
wrong, if so, correct me. Even so, the HELO string could contain the
correct, FQDN of the MX, which would pass the SPF check if they had an SPF
record, or at least pass reverse DNS checks if they didn't. Even if it
passed both tests, it could still be joe-jobbed bounce spam, so your
technique is valuable (not to mention a terrific insight).
I have two questions on what happens at SRS-unaware MUA's that receive
messages you send out with the SRS sending addresses. Consider this a
newbie question as I have little familiarity with MUA's, so be gentle if the
question is clueless. I realize the answers are likely MUA-dependent, but
maybe not.
1) How will SRS-unaware MUA's display the From: address, Reply-to: address,
etc. for SRS sender addresses to the user? Will this be intelligible to an
SRS-unaware human?
2) Does this affect the receiving user's ability to use
whitelists/blacklists? This is not important to me, but some people are
fond of their kill files, so I'm just curious.
--
Seth Goodman