Michael R. Brumm wrote:
Michael R. Brumm wrote:
You left out the fact that RSP also allows injections of forged bounces.
Daniel Taylor wrote:
1. Don't bounce, reject.
2. If you must bounce, unwind the RSP.
3. If you must bounce and don't unwind the RSP, don't
be surprised to find your bounces getting rejected.
Your point being...? Option #2 is what allows the joe-jobs.
Bounce through the RSP, hence, Reverse Source Path. It is the obvious
use of it, and joe-job bounces don't occur because you are backtracking
through the verified sender.
say @spammer.com;@fake.com;joe(_at_)job(_dot_)com
You bounce it back to spammer.com, and they still have the bandwidth
of the bounce. Twice over if they relay the bounce "back" to fake.com
or directly to joe(_at_)job(_dot_)com(_dot_)
Thusly, if spammer.com passes SPF they pay the cost of bounces, if
they do not pass SPF the whole mess falls apart before it gets
back to the "target".
--
Daniel Taylor