If each provider signed their messages AND included account identifiers
(as used by their access servers), then the providers themselves or some
third-party would have little trouble blackhole listing problematic
systems. There would be NO danger that something in the customers
system could be stolen.
A blackhole A record of 127.0.0.1 by the provider at the following:
Or if by a third-party, it could be
This mechanism would also prevent a replay attack on signatures as well
as allow extraction of these problem accounts caused by compromised
systems. These people would quickly learn they have a problem, if they
use the mail services of the provider. If they do not, they should be
blocked by the provider outright. To prevent bounce traffic
unilaterally, BATV would be a better solution.
SPF et al does not allow safe reputation assertions. A reputation
assertion is the ONLY way this type of abuse can be prevented. Binding
MAILFROM or the FROM with some IP address will not stop spam. Within
two minutes, spammers will have adapted, and yet a tremendous expense
and disruption will have taken place for little benefit.