Douglas Otis wrote: > There is a real risk SPF might be used as basis for acceptance You can combine white lists with SPF PASS as with DKIM "PASS", the risk is very similar. > Much of the danger of auto responses has to do with DDoS > concerns. It depends on the definition of "DDoS". From my POV as POP3 user over a V.90 connection 10,000 unsolicited mails are just bad, no matter what it is (spam, worm, DSN, or auto-response). It's not really a "DDoS". SPF at least helped me to get rid of the bogus DSNs and other auto-responses since three years, smart spammers are not interested to forge SPF FAIL protected addresses. BTW, I think the definition of "Joe job" in the sieve EREJECT draft is obsolete, the mere abuse of "plausible" addresses is no "Joe job" and IMO also not a real DDoS. But it's certainly bad for the victims, it can be bad enough to make a mailbox unusable for some victims. > A safer approach would be to format all DSNs per RFC3464 and > remove original message content. I'd hope that a majority of receivers already does this, that's state of the art for some years now. Or rather "truncate" is state of the art, not complete removal of the body. > Mailman made a mistake where an error caused a DSN that returned > original content without first verifying the validity of the > return path. Auto responders aren't in a good position to verify the validity of the return path. Good positions to do this are the MSA based on RFC 4409 and later the MX based on RFC 4408. Frank _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf