My thesis is that SUBMITTER/RFROM/DAVE is a bad idea.
Spammers are currently saving considerable bandwidth by providing false
return paths in mail. SPF was originally designed to prevent mailers
from accepting mails with false return paths, and hence to prevent users
recieving bounces from mails they didn't send.
There is a suggestion to extend the mail protocol to have both SUBMITTER,
the "responsible address" or PRA, and MAIL FROM, the "origial source" of
the message. The PRA is validated according to SPF rules. The MAIL FROM
recieves bounces.
But suddenly we are verifying one address and sending bounces to another!
The possible responses I expect from the proponents of SUBMITTER are:
"But we send bounces to SUBMITTER".
- In this case, MAIL FROM is redundant, and we are proposing
rewriting SMTP for no purpose. The current system just puts the
PRA in MAIL FROM. This should continue.
"We can verify MAIL FROM as well."
- Differently to the verification of SUBMITTER? How?
The effect of introduing SUBMITTER is to entirely defeat the original
purpose of SPF, that is, to permit spammers to send their bounces to
arbitrary locations.
I appreciate the political constraints introduced by attempting to
cooperate with uncooperative parties with differing agendas to that of
SPF, but what is being achieved here is a total destruction of the utility
of the protocol.
SUBMITTER is therefore bad and should be excluded from any future
protocol.
S.
--
Shevek http://www.anarres.org/
I am the Borg. http://www.gothnicity.org/