On Jan 9, 2005, at 10:59 AM, Nico Kadel-Garcia wrote:
----- Original Message ----- From: "Theo Schlossnagle"
<jesus(_at_)omniti(_dot_)com>
If someone is so lazy to determine that they do not want an email
after the they have taken receipt it, then what would lead you to
believe that they would implement SPF during the SMTP session?
It doesn't take sender policy framework or signed envelope sender for
an administrator to realize that the user specified in the RCPT TO
doesn't exist. This is the case that is responsible for most back
scatter.
But having a user not in the RCPT TO is *supposed* to generate a
bounce message, so that when people lose email accounts or accounts
are mis-typed the sender gets a bounce. SPF helps prevent the sending
of these bounces, because the sender in the forged email message is,
well, forged, including their domain.
When a user is presented in the RCPT TO phase and that user does not
exist on the receiving system, then the mail server has two options:
(1) accept the mail _knowing_ that it will send an MDN later
(2) 550 5.0.1 user does not exist after RCPT TO:
The first way is how mail systems used to work on the trusting
Internet. Now, mail administrators either use option (2) or they
contribute to the problem.
This is not something an administrator can reasonably handle, for even
a small site, in the midst of an email worm problem. It needs to be
automated.
A mail administrator should be expected to configure his/her mail
system to adhere to best common practices. Accepting, then bouncing is
not a best common practice.
// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
// Ecelerity: fastest MTA on Earth