> From: "Tony Hain" > To: "'Vernon Schryver'" <vjs@xxxxxxxxxxxxxxxxxxxx>, <ietf@xxxxxxxx> > So if you had received the mail sent here yesterday claiming to be from > Alain Durand would you block Sun or IBM? ... I should not have responded specifically (if at all) to the other gentleman's complaint about my blacklists. Whatever I do to mail directed at stuff I control is irrelevant here, provided I do not affect any third parties. My freedom to filter access to port 25 (SMTP) and port 23 (telnet) is equally and completely unfettered. Two groups oppose that principle. Some people demand SPEWS and other filters with what they consider too many false positives be outlawed, because those filters might affect their outgoing mail. They are unmoved by users knowingly choosing their own filters. They feel their right to be heard by whomever they choose overrides the rights of their targets to be left alone. Other people see nothing wrong in spewing junk at third parties if it might reduce their own spam loads. These people include users of systems based on challenge/responses, bounces after the initial SMTP transaction (sometimes from within MUAs), "bitch lists" that send complaints to dozens of third parties. These people feel their right to consent to whatever appears in their mailbox overrides the similar right of others. As I see it, both groups suffer the same pathology as spammers. ................. ] From: "Robert G. Brown" <rgb@xxxxxxxxxxxx> ] ... ] In the department, where we do USE spam assassin, no bounce messages are ] generated except when mail fails for one of the standard reasons ] unrelated to filtering of any sort. ... On today's Internet, innocents are almost certainly receiving bounced spam and viruses from your system that could not be delivered for reasons unrelated to filtering, such as bogus target addresses. ] ... ] If that rejection occurred during the original transaction and generated ] a bounce -- well, that's the kind of thing we see above, a cure that can ] easily be worse than the disease, ... The idiotic messages from that stupid challenge/response system are not generated during the original SMTP transaction. It is possible to do challenge/responses that do not involve separate messages, but they suffer from MUAs and MTAs that do not handle SMTP rejections properly and users who cannot understand them. Somehow making SMTP rejections understandable to users is something that the IETF might attempt. I think that is something the ASRG is considering. I also think that is nearly impossible. such is life. ] If I understand what you are saying, perhaps there is a way to "do it ] correctly" -- reject the spam at the original smtp transaction but with ] a message that goes back to the original sender (only) in spite of the ] fact that both the From and Return Path header entries might well be ] forged and the message relayed through one or more open relays. ... Headers and the SMTP envelope, forged or not, are irrelevant to SMTP 5yz and 4yz rejections, as far as the rejecting SMTP server is concerned. If the spam came through an open relay, then a proper SMTP rejection might cause the relay to send a bounce to an innocent mailbox, but SMTP relays are out of favor among spammers compared to open proxies. Vernon Schryver vjs@xxxxxxxxxxxx