http://www.danisch.de/tmp/draft_mtp.txt
I've looked through that draft and many messages in the new archives
of this mailing list. Unfortunately, both contain many statements
and assumptions that are common but I think incorrect. Contrary to
various statements:
- text filtering can give failure indications during SMTP transactions.
There are many examples of such systems, including some installations
of SpamAssassin, the DCC, and many uses of the sendmail milter mechanism.
- whether mail is solicited cannot be determined by examining headers,
cryptographic checksums, or anything in a message. Solicited mail
is not only mail in response to previous mail, and not only because
of the obvious chicken-and-egg problem in that. Solicited mail is
whatever the target wants, possibly including chain letters from
strangers or absolutely any other kind of mail. There is no accounting
for tastes. No matter what kind of mail you think is unacceptable,
someone somewhere wants it.
- most talk of "header forgery" is confused. The best demonstration
of that fact was a recent message to this mailing list that talked about
people "forging" their own addresses. That makes no sense given
the English definition of the verb "to forge." You cannot "forge"
your own name or address.
The problem is that many and perhaps most so called "forged" mail
From addresses in spam are no more "forged" than the home return
address you put on picture postcards while on vacation.
That the free mail provder of the mailbox has cancelled a spammer's
account does not make the use of the mailbox "forgery" any more
than your use of a hotel's address is forgery the day before you
arrive or the day after you leave.
Free mail providers and others have worked hard to get people to
use "forge" to absolve them of their responsibility for providing
dropboxes to spammers.
- Many spammers do not care about DSNs or "bounces," but many others do.
Many spammers try to keep their target lists clean for various reasons,
including the automated blocking of IP addresses. It's said that
some large ISP's count the number of invalid target mail addresses
attempted and automatically blacklist IP addresses or domain names
that try too many bad addresses.
On the other hand many other spammers care so little that they use
bogus SMTP command pipelining to send the client's side of the SMTP
transaction in a single burst. The FIN is queued before the STMP
server has finished the reverse DNS lookup of the client's IP address.
- PKI, X.500, PGP, SMIME, and all other authentication mechanisms
are irrelevant to stopping spam. It is not only that the amazing
story in http://www.cert.org/advisories/CA-2001-04.html demonstrates
that it is impossible for $350/certificate to check the identity
of certificate holders. It is that a fundamentail design goal of
SMTP is to allow strangers to send each other mail.
If you are willing to accept a message from a complete stranger, then
it makes no sense to talk about authenticating the stranger. Strangers
are people you don't know and cannot trust to not be sending you and
500,000,000 of your closest friends the same message.
You might have a list of SMTP clients that you trust to know their
users and so not have too many spammers, but for that you do not need
and cannot really use any cryptographic authentication mechanisms.
You already have an practically unforgable handle on the SMTP client
in its IP address.
On the other hand, if you don't want to receive mail from strangers,
there are many mechanisms that work fine including PGP, SMIME, and
various mail white-list mechanisms.
- There is a single, common definition of spam that works. It is
"unsolicited bulk mail." "Unsolicited" is determined by the target
unless the sender has creditable evidence that the target asked for the
mail. "Bulk" is some number of substantially identical messages usually
more than a dozen.
There are many other broken definitions of spam, but they are all
either over-elaborate variations of unsolicited bulk, based on
notions of censorship (e.g. unsolicited commercial or pornographic
mail), or lies and nonsense from spammers.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg