On Tue, Feb 24, 2004 at 09:51:28PM +0000, David Woodhouse wrote:
|
| But you can still _reject_ at SMTP time, without having to trust the
| SMTP reverse-path. That doesn't cause a bounce assuming you're talking
| to the actual sender of the spam, and not some open relay or similarly
| broken host.
|
| > Caller-ID and DomainKeys both need something like SPF or SRS+callbacks
| > to make them safe to use.
|
| It should be safe to use them at SMTP time in the MTA, before accepting
| the mail.
|
That is correct.
If your MTA parses the headers, performs C-ID checks, and decides it's a
spoof, and if it still has the connection open and has not yet returned
a response to the "." end-of-DATA string, then it can return a 5xx error
message.
However, many MTAs have convenient facilities for envelope-time
(pre-DATA) plugins; checking the message body is a little bit harder and
will deter deployment.