[Mailman-Developers] before next release: disable backscatterin default installation

[Julian Mehnle]

Ian Eiloart wrote:
> I think the reason that backscatter isn't subject to any RFC is that
> the real problem is the lack of authentication and accountability for
> return-paths in the original messages. Bouncing would be fine if you
> know that the email really came from the owner of the return-path.
>
> That's what SPF and DKIM are intended to help with. There's friction in
> their adoption because certain features of email (notably mail
> forwarding, but also some others) have no regard for these features.

So far, so good.

> Until no email service provider accepts message submissions outside of
> their own domains, all email providers offer message submission on port
> 587, all message submissions are autheticated, and mail forwarders
> accept responsibility for the email that they forward, it's not safe to
> bounce email.

This, however, is simply untrue.  Of course what you said is desirable, 
but SPF can help with safely bouncing e-mail _today_.  SPF may sometimes 
give an unexpected "Fail" result due to alias-style forwarding or other 
problematic cases, but when it gives a "Pass" result, it is always safe, 
i.e., the return path can be assumed to be authentic and bounces may be 
sent.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mail.python.org/pipermail/mailman-developers/attachments/20080328/26c86636/attachment.pgp