[Asrg] SMTP pull anyone?

To: asrg at irtf.org
Subject: [Asrg] SMTP pull anyone?
From: Ravi shankar <ravisha22 at gmail.com>
Date: Sun, 16 Aug 2009 16:50:39 +0530
Delivered-to: asrg at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=4medDtOyfe0j3RCmAJ0UqZ4zI87z3t7s4PgF21PGBIE=; b=E69K5nB1fMX0bqxDGrhL6zejJw1C+dnarYDmLbcK+ZapuweoJj4GbazNwnciTYUj3I JP1BPQQgK+xGx0E/9YTfDYNN8cjNlceMxBv/t7QUXoc+QP6wrDgBrjoMD4eY5Dwyegow WfcBSmgz8FUfW7+9mueW5dhjr3V3yHf6u3D/A=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=Dxo8EKv1hGpOUpZEgdjCezL8o1D0Iwdmfle3EeNESkZE8KS9S6/W+VxF/nrFLB+fgT PINNBOzqbMenT0tHtaVvO/BhUD/B9gnRIPHJFthz3b1REBqgbl2OwARdyrUtHqwqtOji 3TynFxBykO2xCzYmnMZYNRo2KUcKc2PXZjUxY=
List-archive: <http://www.irtf.org/mail-archive/web/asrg>
List-help: <mailto:asrg-request@irtf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-post: <mailto:asrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
Reply-to: Anti-Spam Research Group - IRTF <asrg at irtf.org>

Hi,

Me and my buddy had a interesting discussion, which i thought could put across the geeks here.

It goes something like this:

SMTP is currently a push protocol and is initiated by the the sender, no controlling that fact.

But it is possible to overcome the relay problems, IP spoofing and domain impersonation etc,

by making the servers pull the mails.

1. Sending server contacts the destination and proovides the Message ID and sender details(and other details) and disconnects the session.

2. The receiving server queues it up and looks up the messages one by one using DNS to determine their legitimacy.

3. If the IP that contacted is legitimate(can be verified by say SPF?), it contacts the sender and provides the message ID with other details.

4. The sending server then hands over the message.

5. To overcome DDoS attacks, the receiving server can be made to request the next 10 or so Message IDs that it will assign to messages,

so that if a attacker tries to give those details, it will know from the next list of message IDs that it's fake connection.

6. May be by this collection of data, the IP addresses can be reported to a RBL and blacklisted.

Please point the holes in this model, so that we might get a entirely new insight.

Note: I have gone trough IM2000 and other similar discussions in the archive. Just thought this version of C/R is worth getting discussed.

Regards,

Ravi

Follow-Ups:
- Re: [Asrg] SMTP pull anyone?
  - From: Dave CROCKER
- Re: [Asrg] SMTP pull anyone?
  - From: mathew
- Re: [Asrg] SMTP pull anyone?
  - From: Bill Cole