If you don't accept blaming the victim, then why do you suppose it
would be "silly" to accept that users that don't employ SPF or DKIM
are willing to receive backscatter. Surely their servers are
misconfigured to not provide a method of forgery detection. In the
fight against SPAM we are all victims as we all have to take elaborate
and costly steps to keep SPAM out of our mailboxes. No one is more
deserving of that title than anyone else.
So if you don't want to blame the victim, then you shouldn't blame the
server operator that doesn't completely eliminate all forms of
backscatter if you are also not going to blame the server operator
that gets hit by backscatter because they didn't employ a method of
forgery detection.
At least the server operator who employs SPF or DKIM detection is
doing his bit to reduce SPAM.
SPAM is a menace and anyone who is fighting SPAM should be applauded.
Those who do nothing to stop it should not be given an elevated status
compared to those that are fighting it.

Hmmmm... Now who's being silly.

What you can assume has to be put in context. Punching someone in the
face is unacceptable in the street but fairly compulsory in a boxing
ring. Neither case needs a notice as the convention is well understood
by those taking part. (Okay - there are exceptions, usually found in
city centres when the pubs/night clubs/bars close)

Much like the "abuse@" email address started out as a good idea, became
a convention and was then enshrined as a requirement in the standards
there is every possibility that DKIM/SPF will evolve in a similar way.

Today, you cannot assume that a lack of SPF/DKIM means that the domain
accepts backscatter because the implementations of SPF/DKIM are not yet
widely available enough. At some point in the future we can hope that
SPF/DKIM is available in all the main mail systems. When such a time
exists the decision to not have SPF/DKIM enabled will be the choice of
the mail administrator and we can then assume that backscatter is
acceptable if SPF/DKIM is not deployed.

At that point we will be able to generate NDR's without fear of creating
unwanted backscatter.

I was being a bit provocative towards the members of this newsgroup who
argue that no NDR's should ever be sent because you cannot verify the
sender. It seems that the technology has been invented to solve the
problem so should we berate the mail admins who generate backscatter or
encourage them to deploy SPF/DKIM?

Unfortunately UCE Protect don't seem to have SPF on their trap domains.
Perhaps they could lead by example.


Jon.

It doesn't matter to me how you treat incoming messages.
What do the standards say about what I'm allowed to assume? Please
quote and provide citations.
RFC 5321 7.9. says

It is a well-established principle that an SMTP server may refuse
to accept mail for any operational or technical reason that makes
sense to the site providing the server.

Note carefully who gets to decide what constitutes a sufficient reason
to refuse mail. "any operation or technical reason" is an extremely
broad category.
Not sending sites mail they don't want and didn't do anything to
request is a very old policy.
Where is the RFC that redefines "forgery"? You want to change the
definition, you need RFC support. Or is RFC support only required
from those who disagree with you?
Mail is not authorized by choosing not to implement this week's
FUSSP. Mail is authorized when the purported sender actually
authorizes it.
See above: a legitimate reason for site X to refuse any message is
whatever *site X* decides is a legitimate reason. RFC 5321
specifically states that, as I quoted and cited. If you wish to
redefine "legitimate reason to refuse mail" you need to propose an RFC
to do so.
I send to many people, a number of whom use forwarding services of
various types. Some of them are multi-hop, and I have no idea past
the first hop; therefore, I cannot create an SPF record that would
allow them to receive my mail (were they foolish enough to depend on
the result of SPF checks).
"First, steal a chicken." That might not be possible (e.g. the
emission point is the mailswerver of whoever provides Internet access
to the hotel I'm staying at).
And if one is using a different MTA?
As others (including me) have shown, mailbox full and other quota
issues can be handled so as to avoid any such problems. The method is
to reserve space before accepting ("250") the message. If you can't
reserve the space, assume a mailbox full.
The checks don't show "not forged", they can only show "the methods I
use did not determine the message to be forged". Likewise, there are
no perfect spam filters, else the whole problem would have gone away.
You aren't checking for that, because you can't.
They would be considered backscatter when they are.

Mail isn't magically "actually originated" by me when some spammer
forges my email address, no matter what protective technologies I
choose to implement or not implement. Mail is actually originated by
me when I, personally, perform the actual actions (^C^C) that cause it
to be sent.

Seth