spf-discuss
[Top] [All Lists]

Re: ENVID to prevent forged bounces with SUBMITTER?

2004-06-05 20:08:39
Michael R. Brumm wrote:
Michael R. Brumm wrote:

You left out the fact that RSP also allows injections of forged bounces.


Daniel Taylor wrote:

1. Don't bounce, reject.
2. If you must bounce, unwind the RSP.
3. If you must bounce and don't unwind the RSP, don't
  be surprised to find your bounces getting rejected.


Your point being...? Option #2 is what allows the joe-jobs.

Bounce through the RSP, hence, Reverse Source Path. It is the obvious
use of it, and joe-job bounces don't occur because you are backtracking
through the verified sender.

say @spammer.com;@fake.com;joe(_at_)job(_dot_)com

You bounce it back to spammer.com, and they still have the bandwidth
of the bounce. Twice over if they relay the bounce "back" to fake.com
or directly to joe(_at_)job(_dot_)com(_dot_)

Thusly, if spammer.com passes SPF they pay the cost of bounces, if
they do not pass SPF the whole mess falls apart before it gets
back to the "target".

--
Daniel Taylor