[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification)

To: "Hector Santos" <winserver.support@winserver.com>, <asrg@ietf.org>
Subject: Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification)
From: Brett Watson <famous-asrg@nutters.org>
Date: Mon, 1 Dec 2003 21:25:43 +1100
In-reply-to: <006d01c3b7e8$57459720$60c6d344@FAMILY>
List-archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
Organization: PhD Student, Macquarie University
References: <200312011854.43717.famous-asrg@nutters.org> <006d01c3b7e8$57459720$60c6d344@FAMILY>
Sender: asrg-admin@ietf.org
User-agent: KMail/1.5.3

On Mon, 1 Dec 2003 19:51, Hector Santos wrote:
> No, you got it.   And you raise a very excellent possible solution which I
> like because it doesn't technically change the SMTP protocol.  It now
> becomes a functional requirement.
> ...
> Compliant servers must support VRFY as a way to validate return address.

I don't see how this, on its own, overlaps with a proposal like LMAP. If host 
X sends us mail with "MAIL From:<user@Y>", then we ask an MX for Y to "VRFY 
user@Y", all we have determined is whether <user@Y> is a "valid" address, for 
some loose definition of "valid". (One of my domains has a catch-all address 
in force at the moment anyhow, so *every* syntactically valid address is a 
"valid mailbox".) Critically, what we have *not* determined is whether host X 
is *authorised* to represent that address. That is what LMAP attempts to 
ascertain.

The reinstatement of VRFY would potentially give spammers a good way of 
evaluating their address lists. A spammer could also probe around for a 
verifiable address to use in the "MAIL From:" part of the dialogue. In the 
absence of an LMAP-type authorisation mechanism, this strikes me as a rather 
bad thing.

Is your response to this a challenge/response type scenario, where the 
(known-to-be-valid) return address is sent a message asking for confirmation? 
This is a nasty burden on the victim of fraud. We need the LMAP-type 
authorisation mechanism to act as a first-pass filter to reject blatant 
frauds.

Or perhaps I've missed your point. I haven't had the time to fully analyse all 
the messages on this list in the last couple of days.

Regards,
TFBW

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification)
  - From: Hector Santos

References:
- Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification)
  - From: Brett Watson
- Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification)
  - From: Hector Santos

Prev by Date: Re: [Asrg] Re: 6. Proposals: LMTP proposals]
Next by Date: Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification)
Previous by thread: Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification)
Next by thread: Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification)
Index(es):
- Date
- Thread