[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Asrg] Re: 0. General - anti-harvesting (was Inquiry about CallerID Verification)

To: Matthew Elvey <matthew@elvey.com>
Subject: [Asrg] Re: 0. General - anti-harvesting (was Inquiry about CallerID Verification)
From: Scott A Crosby <scrosby@cs.rice.edu>
Date: 30 Nov 2003 13:20:43 -0600
Cc: ASRG <asrg@ietf.org>
In-reply-to: <3FCA32DB.7050304@elvey.com>
List-archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
Organization: Rice University
References: <p06002031bbeef916a8b6@[192.168.254.12]><3FCA32DB.7050304@elvey.com>
Sender: asrg-admin@ietf.org
User-agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Common Lisp)

On Sun, 30 Nov 2003 10:11:39 -0800, Matthew Elvey <matthew@elvey.com> writes:

> Perhaps a better alternative to deprecating <> would be saying that
> MTAs SHOULD bitbucket DSNs about email they know (thanks to LMTP
> and/or Received/MessageID headers) weren't sent from authorized
> IPs/systems.  Good/workable idea?

Probably, if the burden of proof is low and relatively easy.

> True.  By deprecated, I mean a spec that says that MTAs SHOULD not
> (not MUST not) use  <>.  Let's see if there is another solution for
> everything legit that it's currently useful for.  We don't want <> to
> be a way around LMTP, right?   For any failure DSN, I think the
> systems that send them can and should be modified so that all the
> failure status codes of rfc 1893 can be provided during SMTP.  Any
> intermediate system (offline UUCP excepted) that does so would need to
> be redesigned, as you point out below, if they wanted to avoid using
> <>.    For any success DSNs, perhaps they shouldn't be sent MAIL FROM:
> <>.  Locally generated and delivered mail shouldn't be bitbucketed.
> 

This seems to be putting the cart before the horse.

AFAIK, DSN's are for exceptional conditions. IE, in a well functioning
system, all messages get delivered and no DSN's need to be sent. Right
now we have a mis-functioning system where people send messages with
forged sending addresses, thus the DSN's are a DoS on the person
having their email address forged. Especially if they cannot be
programattically filtered.

But, perhaps they could?

How to do it is all sending systems attach a nonce (a random number)
to an email. All DSN's must include a nonce indicating to what this is
a response to. Users have the option to filter based on whether a
correct nonce is attached.

If a mailserver is changed to implement LMTP, it can be changed to
also implement the nonce scheme at the same time.

Scott

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- [Asrg] Re: 0. General - anti-harvesting (was Inquiry aboutCallerID Verification)
  - From: Bill Cole
- Re: [Asrg] Re: 0. General - anti-harvesting (was Inquiry about CallerID Verification)
  - From: Claus Assmann

References:
- Re: [Asrg] 0. General - anti-harvesting (was Inquiry aboutCallerID Verification)
  - From: Bill Cole
- Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification)
  - From: Matthew Elvey

Prev by Date: Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification)
Next by Date: Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification)
Previous by thread: Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerIDVerification)
Next by thread: Re: [Asrg] Re: 0. General - anti-harvesting (was Inquiry about CallerID Verification)
Index(es):
- Date
- Thread