ietf-822
[Top] [All Lists]

Re: authenticating the source of mail

2002-05-20 09:17:54


Keith Moore wrote:

I've seen several [] users who routinely post from multiple accounts
from different ISPs, using a variety of SMTP servers, but using the
same From address.

Let's go through this slowly.

First of all, the domain in the reverse-path is what will get checked in
these cases. If the users or admins of that mail domain don't want to
limit the hosts that mail can be sent from, they have the obvious choice
of not using MS RRs. In this situation, nothing will change. The users can
still send mail from wherever they want, and spammers and trojans can
continue to use that mail domain in the reverse-path of the junk they
generate.

Orgs that want to limit the use of their mail domain to certain specific
hosts and/or networks can essentially volunteer an ingress ACL for remote
mail routers to use. This may be because company policy requires that all
mail go through a content-analyzer/modifier before it goes public, or it
may be because the org doesn't want anybody misrepresenting themselves as
an employee of that organization, or it may be because hotmail and aol
email is only supposed to come from some servers, or whatever.

There are already a bunch of ways that mobile users in these networks can
be supported. There are the MS flag types, submission servers, a subdomain
which doesn't run MS, dynamic DNS updates (via a login script or mail
client tweak, if necessary), webmail access to their home server, and
several other options. Heck, they can use their mobile email for the
reverse-path, with the From and/or Reply-To header fields pointing back to
the org's mail domain if nothing else.

In my case, I can use any and all of those and will be able to do this
without any difficulty, even though I frequently use remote systems to
monitor and send mail. As such, any mail from ehsco.com can be rejected if
it doesn't come from the hosts I list as authorized by me to send mail for
my domain. After a while, I would hope that successfully matching an MS RR
would act as a positive indicator against weighting filters, perhaps to
the point of being used as a whitelist-bypass (right now, we have ~40:1
ratio of negative triggers to positive triggers, and here's another
positive trigger).

So the real question remains to be ~what other methods can we use so that
more mail domains can take advantage of this, thereby improving the
chances of its use? What methods will be palatable to you? If you have no
interest in this, you do not have to opt-in, but that will not greatly
diminish the benefits to the orgs who can take advantage of it.

-- 
Eric A. Hall                                        http://www.ehsco.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/