On Sun, 2004-03-28 at 19:41 +1200, Nick Phillips wrote:
I have to disagree with you here.
Your right.
Forwarding without modifying the envelope
sender may be an established practice, but I don't believe it's valid.
You are definitely on an uphill tack there.
You might just as well argue that accepting mail without checking that
it can be delivered, and subsequently generating a bounce, is an invalid
but established practice -- and hence start rejecting all MAIL FROM:<>
For justification, I'd just point out that a message forwarded in that way
is logically identical to a forgery.
By your definition, perhaps -- but I can tell them apart with sufficient
ease that I think it's very wrong to reject them. If we start to
_accept_ that we're going throw away valid mail, we might as well just
give up.
Take a hypothetical situation: you receive two mails. One bears the
sender address 'dwmw2(_at_)infradead(_dot_)org' and the Received: headers say it
came from a known spam source. The other bears a SRS-signed address
@srs.infradead.org and is GPG-signed by me. Its Received: headers say it
was received by pentafluge.infradead.org with asmtp from some dialup
address which authenticated as 'dwmw2'.
The first message is obviously a forgery. You note that
'dwmw2(_at_)infradead(_dot_)org' fails callout verification thus:
mail from:<>
250 OK
rcpt to:<dwmw2(_at_)infradead(_dot_)org>
550-This address never sends messages directly, and should not accept
bounces.
550-Please see http://www.infradead.org/rpr.html or contact
550 postmaster(_at_)infradead(_dot_)org for further information.
The second message obviously _isn't_ a forgery, and it passes CBV -- but
you claim it's "logically identical" to one. I suggest that if that's
logical, your axioms are flawed.
Again, I think you're missing something here. SPF will enable valid mail which
is currently being silently bounced to be either accepted completely, or
alternatively rejected in such a way that the sender will be notified.
You're assuming that people read bounces. I don't make that assumption
because I've seen it disproven too many times. Sometimes people forward
me bounces and ask me to read them -- often I can just cut and paste the
words which were in the original, and as long as I make them look like I
typed them myself and they didn't come from a computer, the recipient
actually bothers to read them.
--
dwmw2