On Tue, 22 Feb 2005, David MacQuigg wrote:
How do you currently handle soft fails?
The information just gets added to the Received-SPF header; other than
that, I do nothing with it. I think TEMP-failing goes a bit too far;
all softfail really means is: "If I had my SPF records/setup in order,
this mail would probably have to be REJECT-ted; but since I am not
done configuring yet, please do not take this result too seriously."
So, I don't. :) As Stuart said, the Bayesian filter will then read and
interpret the Received-SPF header.
This will work, but perhaps with some difficulty. As long as you pass
on the essential information in a header (protocol, IP address,
domain-name, result), the receiver can figure out where to send the
bounce, the forwarder that gets the bounce can dig deeper into the
headers and figure out where to forward the bounce, etc. The
difficulty comes when your receiver does not understand the
Received-SPF header, because it doesn't implement SPF. A header with
the items essential for any protocol in a standard format would allow
any receiver that follows the standard to generate a bounce.
Are we in agreement that bounces may come *after* a forwarder's SMTP
session is closed?
I generally frown upon MUA bounces; for one, because they rely on
inherently untrustful headers (unless they are digitally signed). Also, I
see no need for a forwarder to 'dig deeper into the headers and figure out
where to forward the bounce'. If the forwarder does SRS, a bounce to the
immediate envelope-from will suffice to 'follow authenticated addresses
all the way back to its source'. That is part of the beauty of SRS.
To repeat my earlier statement: A bounce might come
as late as several hours, when the recipient hits a "Reject as Spam"
button. That reject should be treated as a "bounce" and follow
authenticated addresses all the way back to its source.
Well, that is another reason to avoid MUA bounces: they are very risky,
and fraud with pitfalls. Like folks who 'reject' spam and virusses, by
their MUA; from the perspective of the Internet, they are simply
reinjecting a spam/virus back onto the net.
Also, even if you reliably trace the original sender, and it really is a
spammer, how much chance do you think there is of his being a legit
address? Really, and this is just a personal choice of mine, but I truly
believe mail should be REJECT-ed by the MTA, not the MUA. Once delivered,
a MUA should just flag/throw away/quarantine a message, but not send out
bounces of its own.
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx