[spambayes-dev] FAQ 6.5

[Seth Goodman]

There are more important reasons to not bounce spam than internet
congestion.  A bounce is a class of automated message called a delivery
status notification (DSN).  A recipient MTA that accepts a message for
delivery must send a DSN to the return-path address if the MTA is unable
to make final delivery.  Spambayes runs in the MUA only after final
message delivery, so you can't say the message wasn't delivered :)  For
this reason, SMTP makes no provision for an MUA to ever send a DSN.

More importantly, there is no reliable bounce address in a message that
later turns out to be spam.  In fact, we know that the return-path is
virtually always forged.  Generating a bounce after acceptance will
abuse an innocent third party, if it is deliverable at all.

Many MTA's persisted for a number of years in promiscuously accepting
all messages for their domains and sending DSN's later for undeliverable
messages.  Operating an MTA this way is called a store-and-forward
configuration.  Once people started using IP blacklists, spammers
quickly realized that they could trick MTA's that were not blacklisted
into delivering their spam.  They would simply address the spam to an
undeliverable address at a domain with a good reputation, let's say
bogus at aol.com, and put the real target address into the return-path, say
victim at poorslob.com.  AOL's MTA accepts the message, since it purports
to be for an AOL customer.  Then it finds it had no mailbox named
'bogus' and sends a bounce message containing the spam to
victim at poorslob.com assuming they were the originator.  The MTA at
poorslob.com accepts all messages from aol.com, so it accepts and
delivers the spam and then blames AOL.

So the best answer as to why it is inappropriate to bounce spam is that
it turns your MTA into a spam reflector, which will properly get you
blacklisted for abuse.

--
Seth Goodman