spf-discuss
[Top] [All Lists]

Re: Latest proposal re HELO checking: make HELO tests optional

2004-03-11 06:14:47
In 
<1078988480(_dot_)5835(_dot_)81(_dot_)camel(_at_)imladris(_dot_)demon(_dot_)co(_dot_)uk>
 David Woodhouse <dwmw2(_at_)infradead(_dot_)org> writes:

On Tue, 2004-03-09 at 20:21 -0600, wayne wrote:
It is more than just "the potential".  Spam is far more likely to
trigger a bounce than legitimate email.

It is definitely appropriate to say 'the potential'. What part of "only
when the primary MX host is actually down _and_ we receive mail for an
invalid user at the target domain which is not a cached negative" do you
not understand?

Are you saying that you these conditions never happen?  If it happens,
it is not just 'the potential', if not, you could just drop drop the
bounces so that there isn't 'the potential'.


Using SRS on all your outgoing email is a way of protecting yourself
from people who think it is ok to send bogus bounce to innocent third
parties.

That includes everybody who I consider competent to run a mail server,
and that has been the status quo for years.

The status quo for years was for everyone to be an open relay also.  
For the last few years, there has been a similar change to reject
email during the SMTP session rather than acccepting email and then
generating a bounce.


The strange thing is, you made strong objections to the SRS1
short-cutting because of the far smaller potential for abusive
bounces, but apparently, you are perfectly happy to bounce stuff
directly.  I don't get it.  I think both are bad.

No. I made objections to the SRS1 short-cutting because of the potential
for abusive mail getting through directly, not actual bounces.

Bogus bounces sent to innocent third parties are abusive emails.


Hotmail, MSN, Yahoo, AOL, etc. are all know to silently drop large
quantities of email.  This is *bad*, but this is the state of email
today.  SPF, and other designated mailer systems, may be able to
change this back.

Have you evidence to support this? I received a bounce from AOL only
yesterday.

I didn't say that these ISPs drop *all* email instead of bouncing,
only that they drop (neither deliver to the end user, nor bounce)
large quantities of email.  As far as evidence, you can view the IETF
BOF video and see an AOL person who says that they do this, and I have
a private email from MicroSoft people who directly say that large
quanities of email is thrown on the floor by Hotmail/MSN.  (This is
only done if the email has a "high probability" of being spam.)


If you think bounces are so bad, why don't you start rejecting all MAIL
FROM:<> ?

Bounces are good.  Bounces to innocient third parties is bad.


-wayne


<Prev in Thread] Current Thread [Next in Thread>