I’m implementing the federated push of messages and trying to make sure I am intepreting the spec properly. My assumption is that I need to resolve an inbox (or sharedInbox) for every address i find in to
,cc
,bto
& bcc
where each collection may lead to either an actor
that has an inbox or a collection
that needs to be paged through and then resolved.
My main question on this is whether it is intended that any collection is valid or if there are restrictions? I.e. the usual case appears to be that the sender includes their followers
collection as a cc
. But it seems that one could easily use the followers
collection of some remote account with a million followers and force the sending server to a) resolve those million followers (paging through the collection and then resolving each address) and b) spamming those million addresses.
Are there any rules on addressing I overlooked in the spec to address this spamming angle or any patterns the community has adopted in the meantime, such as restricting collections to only those owned by the sender?