I wrote a response to this earlier, but it seems to have gotten lost. (I
received an initial acknowlegement, but no approval/disapproval message.)
No disagreement there. My point in writing that was not to support the
backscatter apologists, but merely to explain that the "hostile mail"
exception (RFC 5321, section 6.2) Shmuel is fixated on is a distraction in
this debate.

---- Michael Deutschmann <***@talamasca.ocis.net>

If a hardware or OS failure is the cause of the non-delivery, an NDR cannot
be universally avoided. An NDR can occur even when all possible checks
performed during SMTP indicate that the message will be deliverable.

Unanticipated errors can always turn up.

I implement CSA instead of SPF or DK. Do you check CSA? If not, is it MY
fault for using a different silver bullet than you do?
s/future/alternative/
So, if I protect my domains with ASDF records (Almighty & Secure Detection
of Forgeries, the Next Big Thing, just read My Blog) and receive NDRs from
your server - it's backscatter, right?
.. using *all* known and unknown methods to detect forgeries deployed on
the Internet today. I don't think my server could handle the number of
database lookups required to process a single mail.
So, by your standards, it's ok if I post my criteria on a shed in Timbuktu.
Any NDR received with respect to a message that is a forgery is clearly
backscatter.

I think we (tiaw) can live with that.
There is no such guarantee.

http://www.uceprotect.net/en/index.php?m=2&s=0

| Q7: I own a domain that I am actually not using so can I do anything to
| help the project?
|
| A7: Yes and you are very welcome to do so.
..
| Simply ask your ISP to change your MX-Record to: nirvana.admins.ws in the
| DNS.
..
| All email sent to your domain will then be routed to nirvana.admins.ws,
| which blacklists (if conditions from our policy match) every IP address
| sending mail to it :-)

they had a properly configured mailserver.
According to which RFC? Is that at the level of MUST, SHOULD, or This
is an Experiment you Might want to Try?
By not telling you anything, I'm not telling you anything. It's just
that simple.
Do you want to be held to have agreed to everything you haven't
explicitly disclaimed according to every method that anybody else has
proposed?
False on several counts. (1) Backscatter isn't defined in terms of
"want". (2) I don't want them, and I've said so and posted that fact
here numerous times.
You have a problem with them telling the truth?
Please explain exactly how I can stop spammers from forging, keeping
in mind that it's illegal in most states to shoot them.
I don't see any claim about "misbehaving". I see statements about
"sent NDRs to addresses that never send email".
So what? Backscatterer doesn't claim that the NDR-sender would or
would not have sent NDRs in some alternate universe. It claims that
the server actually sent something.
Those systems do what _they_ are programmed to do by _their
administrators_. I'm not one of their administrators. I have no
control over what they do.
Backscatterer isn't about fault. It's about specific email messages.
What they send is their responsibility.
I am not using those tools. That's all I say by not using those
tools. I am not responsible for any incorrect conclusions drawn by
anybody else.
All the messages that are actually from it are legitimate. Messages
forged by spammers are not legitimate, and I'm not saying they are.
If you say they are, then you're lying (or at least wrong).
No problem then: my mailbox is protected by Uncle Guido's Osteofractic
Mailbox Protection Service.
You may define terms however you wish. When you use terms in
non-standard ways, your ability to communicate ideas suffers and
instead of people saying "so what?" they say "You're wrong."
YM "Stussy-defined-backscatter" can be sent only by such servers. I
don't care about that; I want to stop Seth-defined backscatter (which
happens to match backscatterer-defined backscatter, and probably the
definitions of most other entities posting here).
Your opinion as to how others should behave is noted. How many users
does your list of sites that backscatter by your definition have?
You don't get to invent and place responsibilities on others.
OK: "If I didn't send it, then it isn't from me."
You can say they're required to do something. It doesn't matter; they
get listed for what they do, whether or not you claim (correctly or
not doesn't matter) that it's required.
I've told them.
Oh, so now you get to list all the possible ways?
A message that I didn't send but which claims to come from me is not
legitimate. It's just that simple.
No, they haven't. You have continuously used incorrect definitions of
terms in order to support your claims.
No message is _legitimately_ sent (that is, by anyone authorized by
the mailbox owner to send it) from any of those mailboxes.
That's right.
They aren't the sender. Some spammer is the sender.
In this case, they're both true.
As before, you don't get to create needs for others.

Seth