[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Re: draft-danisch-dns-rr-smtp-01.txt

At 07:40 AM 4/27/03 -0600, Vernon Schryver wrote:
>> From: Scott Nelson <scott@spamwolf.com>
>
>> >> ...
>> >> Recognize that the goal for the receiver isn't to find all the 
>> >> valid IP's for a domain, but rather just the one they are receiving
>> >> email from.  To answer the question "is IP a.b.c.d an authorized 
>> >> IP for example.com?", the receiver could check 
>> >> d.c.b.a.rmx.example.com.
>
>> >The problem with that is that Hotmail, Yahoo, and most of the rest of
>> >the owners of the domain names that appear in SMTP Mail_From senders
>> >in the majority of spam instruct their DNS servers to always answer
>> >"yes, a.b.c.d authorized" for any and all IP addresses.
>
>> Just to clarify, that's a problem with idea of authorized senders,
>> not the suggestion that IF you attempt to authorize IPs, then you
>> should do it on a single IP rather than the trying to get the whole range.
>
>I don't understand that.
>

The paper (draft-danisch-dns-rr-smtp-01.txt) advocates a method for
doing authentication of IP address as valid senders for domains.
My post suggested an improvement (IMO) to the method of 
doing authentication of IP address as valid senders for domains.

I was simply trying to make it clear that your complaint applies to
/all/ methods of authentication of IP address as valid senders for 
domains, and not just the particular method I suggested.


>> The way SMTP works currently, authorized sender lists are
>> only useful to identify email that is very likely to be from the
>> domain in question, and not useful in identifying email that is not.  
>> In other words, one should use it only to accept an email, 
>> not to reject it.  (Or make it more likely to be accepted).
>
>To identify mail that is very likely to be from the domain in question,
>you do not need any new protocols, modifications to existing protocols,
>or new conventions such as DNS RRs.  You need only compare the PTR RR
>for the SMTP client with the envelope sender domain.  That comparision
>won't be completely accurate, but it will be more accurate than any
>new scheme.
>

PTR RR for the SMTP client?
Now I do not understand.


>> I think the value of being able to whitelist an email is not as 
>> great as the problem of people who incorrectly chose to 
>> reject email for failure, but I'm neither sure nor certain.
>> Perhaps if it was limited to system messages, 
>> or certain privileged accounts like postmaster or mailer_daemon 
>> then it might have greater value.
>
>That would be an interesting idea, except that the address of that
>sort that is most commonly forged in spam lacks a domain to check or
>compare (as well as a user name).  Remember that bounces are supposed
>to come from "<>".  See section 6.1 of RFC 2821.
>

Maybe we should change that.
That's one of the purposes of this group isn't? -
 To suggest changes to SMTP that would make it more resistant to spam?

Scott Nelson <scott@spamwolf.com>
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg