On Fri, Feb 16, 2018 at 8:58 PM, John Levine <[email protected]> wrote: > In article <[email protected]> you write: >>> It's not really wise to use non-obfuscated return paths when using >>> VERP. If it's easily decodable, a goofball could spin up fake ones to >>> try to get 'em logged as legitimate bounces and inhibit future >>> delivery of certain messages to certain recipients. Is it >>> common/likely? > > That seems quite a stretch. Has it ever happened in the history of the > Internet?
I don't think it has and I never claimed as such. I think that's a bit unfair, making a sort of straw man argument in response. I am saying that I think it's unwise to put what amounts to subscriber-level PII or basically clear identifiers in the Return Path/MFROM, if mail back to that address is interpreted as an indication that an action should be taken (like logging a bounce and potentially stopping future mail to that recipient). It's an open slot where an external actor could insert something to cause actions beyond the expected ones. That counts as a security concern in my book. Yes, it is personally reasonable that different people will have different takes on the level of concern associated with that potential risk. Regards, Al Iverson -- al iverson // wombatmail // miami http://www.aliverson.com http://www.spamresource.com _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
