"Craig Whitmore" <lennon(_at_)orcon(_dot_)net(_dot_)nz> writes:
I have a question about BATV. (Yes, this about SPF, but you knows would
know)
Quite a number of email servers use callbacks (Like exim) so BATV breaks
callsbacks. So I was thinking only reject (after data) is its a bounce and
it
actually contains data.
so
MAIL FROM: <>
RCPT TO: user(_at_)yourdomain(_dot_)com
QUIT
callback works (as its a call back and it had no data)
Sorry for the possibly naive question, but why would you actually
*want* the SMTP callback to work. Suppose you are using BATV or
something like BATV, and you send mail to someone whose client is
infected by a virus. That person's computer might then turn around
and send 1,000 messages from your envelope sender address. Or maybe
the BATV shows up in a Return-Path: header of some web archive, and a
spammer picks it up there.
Either way, if recipients of the forged messages implement SMTP
callbacks, it seems to me you want to inform them that you are not
interested in receiving bounce messages to that address. Especially
since, under most of the scenarios under which I can imagine a bad guy
getting the sender address, the original message has already been
delivered.
I would argue that the right thing is not only to use a unique sender
address for each message, but also to accept a limited number of SMTP
callbacks for the address--maybe something like 5 + 5 times the number
of recipients. Saving bandwidth from a DATA command you are going to
reject sounds like a relatively minor optimization compared to helping
forgery recipients reject the forged mail.
David
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com