Address resolution

I’m implementing the federated push of messages and trying to make sure I am intepreting the spec properly. My assumption is that I need to resolve an inbox (or sharedInbox) for every address i find in to,cc,bto & bcc where each collection may lead to either an actor that has an inbox or a collection that needs to be paged through and then resolved.

My main question on this is whether it is intended that any collection is valid or if there are restrictions? I.e. the usual case appears to be that the sender includes their followers collection as a cc. But it seems that one could easily use the followers collection of some remote account with a million followers and force the sending server to a) resolve those million followers (paging through the collection and then resolving each address) and b) spamming those million addresses.

Are there any rules on addressing I overlooked in the spec to address this spamming angle or any patterns the community has adopted in the meantime, such as restricting collections to only those owned by the sender?

  • Collections should be dereferenced before delivery, but in practice they aren’t always.
    • Some collections are treated as “magic collections”, such as Public and anything in an actor’s followers property.
    • Paging/resolving a remote collection may fail due to access control or other authorization failures.
  • Implementions may add spam checks, and in practice, one such check is to disallow addressing collections from other domains.
    • But there are still valid reasons to address someone else’s followers, so an implementation may decide this is allowed and do what is called Inbox Forwarding.
      • In general, you will not be able to page through someone else’s followers collection unless it is publicly available. This is not always the case.
      • You might end up seeing the followers collection IRI and not be able to dereference it. If the collection is owned by you or your server, you may choose to forward it, or you may discard it as spam. Your choice.