In
<1078853166(_dot_)867(_dot_)24(_dot_)camel(_at_)hades(_dot_)cambridge(_dot_)redhat(_dot_)com>
David Woodhouse <dwmw2(_at_)infradead(_dot_)org> writes:
On Tue, 2004-03-09 at 11:01 -0600, wayne wrote:
At this time, thanks to spammers, a very large percentage of the MAIL
FROM addresses are bogus. The best current practices is to *NEVER*
use the MAIL FROM address for anything.
/me shudders. That's _so_ wrong it's scary.
I'm not sure what you think is wrong. If you don't believe that a
very large percentage of MAIL FROM addresses are bogus, I will be
happy to provide you with stats.
There are some cases where
you absolutely _MUST_ use the MAIL FROM address, and to do otherwise is
likely to cause mail loops.
What you seem to be confused with is the idea that you shouldn't
actually generate a bounce if it's avoidable -- current best practice is
to avoid accepting a mail and _then_ deciding you want to reject it; do
the utmost possible to make the decision before the SMTP transaction
finishes. That way, the mail never leaves the spammer's SMTP-sender.
What you seem to be confused with is that I'm saying that you should
use some other field to send bounces to. This, of course, is not
true. There are *no* addresses that you can safely send bounces to
without risking abusing innocent third parties. Thanks to spammers,
if you can't reject the email during the SMTP session, you must not
generate any sort of bounce at all. This, of course, is *bad*. I
want to be able to generate bounces, but it is unacceptable to abuse
innocent third parties, therefore I can't.
If generating bounces you _MUST_ generate them only to the MAIL FROM:
address, not to any other address picked out of the mail itself.
I never said that you should use a different address.
Clueful ISPs will pull your machine off the network if you refuse to
conform with what RFC2821 mandates about use of MAIL FROM w.r.t.
bounces. It'd be a denial of service attack waiting to happen.
Sadly, clueful ISPs are not as common as they need to be. Worse,
there are large ISPs that accept the email and then try to send
bounces to MAIL FROM address, thus abusing innocent third parties.
Even more problematic are the ISPs that accept all email and silently
/dev/null the stuff they don't want to deliver.
I repeat:
While I think there can be a lot of useful discussion about what the
semantics that SPF defines for the MAIL FROM address and the HELO
domain should be, the immediate problem is to enlighten people that
these strings are currently dangerous to use in any way.
You appear to still be advocating using the MAIL FROM address to send
bounces to. As a result, you are advocating abusing innocent third
parties.
-wayne