RE: [Asrg] Several Observations and a solution that addresses them all

[Jason Hihn <jhihn@paytimepayroll.com>]

> -----Original Message-----
> From: Kee Hinckley [mailto:nazgul@somewhere.com]
> Sent: Tuesday, March 11, 2003 1:04 PM
> To: Jason Hihn
> Cc: Valdis.Kletnieks@vt.edu; ASRG
> Subject: RE: [Asrg] Several Observations and a solution that addresses
> them all
>
>
> At 12:08 PM -0500 3/11/03, Jason Hihn wrote:
> >Dispatch is the heart of it all. It will pass on the request to sub mail
> >servers if it cannot be determined on this one. It also makes
> sure that the
> >connection comes from a recenelty sent-to domain to keep spammers from
> >asking for validations of email addrs out of the blue.
>
> What you said was that it was "trivial".

Indeed. If you don't consider that trivial... ;-)

>
> What you have described requires that the primary and secondary MXs
> for a domain all run custom software which connects to the
> centralized server that sends all email for a domain, and that that
> server keep track of all outbound mail, who it came from and where it
> went.  And it assumes by convention that nobody from that domain is
> allowed to send email via any other server.

You need not track from who to who, just from where to where. Or better yet,
make it configurable. Let the UE suffer higher spam rates because of their
privacy laws.. (Ironic don't you think?)

> There's also another little problem.
>
> MAIL FROM:<jhihn@paytimepayroll.com>
> RCPT TO:<nazgul@somewhere.com>
>
> Now I go back to your server and say, "is jhihn@paytimepayroll.com a
> valid address" and your server says, "what the hell are you talking
> about, I've gotten hundreds of queries about this person, but they
> did not send mail to nazgul@somewhere.com, they only sent email to
> asrg@ietf.org.  Must be a spammer.  Not valid."

Exactly. You have no rights to my info if I did not send to you. Don't speak
until spoken to. If I sent you mail then that means I don't mind you knowing
who I am. I don't see how this is incorrect or undesired behavior.

> So if you want this to work you need to extend the SMTP protocol.

Yes.

> There isn't enough information in the transport to uniquely identify
> a message.

Nor would I want there to be. Assume that we do have spammers in the new
system. I'd still like to remain at large to them. By saying "I got this
message from you, addressed to me" allows covert software to log the unique
validation request. Assuming we only validate emails we get (as opposed to
those we don't get) we'd expose our email address. Where as if you say this
is "yahoo.com(by reverse lookup), I want to verify blackrider@yourdomain"
the spammer has to slow things down to the point that there is only one
outstanding address to his request, per domain. It gets even hairer for the
spammer if yahoo.com and another domain cooperate, and the requests can come
from earthlink.net too. Get enough cooperation and any lonk od overlap
really does a number on the spammer. Then there can ever only be one
outstanding address at once. This would require the validation server to be
able to ask yahoo.com who are you cooperating with (or present it at
validation request time)

> But in any case, it's clear that the operative word is *not* "trivial".

Lets define trival. Anything that can be solved in polynomial time is
trivial.
Our techniques are lexography and syntax and some elemenaty structure
navigation. All polynomially complete, and therefor trivial ;-)




_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg