In article <caaqnkjcbexdxv0kf4tkrmum8gq-ohhltjzg8pn1b1behryi...@mail.gmail.com> you write: >I am saying that I think it's unwise to put what amounts to >subscriber-level PII or basically clear identifiers in the Return >Path/MFROM, if mail back to that address is interpreted as an >indication that an action should be taken (like logging a bounce and >potentially stopping future mail to that recipient). It's an open slot >where an external actor could insert something to cause actions beyond >the expected ones. That counts as a security concern in my book.
Given that pretty much every message from an ESP has the recipient's address on the To: line of the message, I'd put that particular risk on the last page of my book. If you want to fake a bounce from someone you certainly don't need VERP to do it. R's, John _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop