[Top] [All Lists]

making mail traceable (was Re: Received header Considered Pathetic)

2004-01-16 09:47:07

 The "Received" header is woefully inadequate for spam tracing

True. Then again, so is the rest of the message format and mail transport.

If we really want to make mail traceable, we need to do a bit more than fix Received. As I see it, we need:

- A message hash function that is invariant across the various kinds of munging that happens in mail transport, but still good enough for non-repudiation (though it probably won't be good enough to serve as a general-purpose signature) - An originator-id separate from From, MAIL FROM/Return-Path, Reply-To or Sender that uniquely distinguishes the originator of the message from other message originators. it doesn't have to actually expose the originator's name, email address, account name, etc. - it could be a nonce as long as the originating ISP or organization could trace it to the actual originator within a reasonable time. - A new header field which associates the message hash, originator-id, timestamp, and originating ISP or organization, which is signed by that originating ISP or organization, and which is easily verifiable by recipients or MTAs - A way to ensure that messages get tagged with originator-id when they are injected into the mail systems (e.g. ISPs blocking port 25 and/or MTAs refusing to accept incoming mail without originator-ids or with unverifiable originator-ids) - If you really wanted to, you could augment Received or add a new trace field that recomputed the hash at each hop (to show if and where the message was corrupted in transport)

This would give you a way to associate each message with an identifier for the originator, issued by the originator's ISP or organization. Then you'd need some way to ask that ISP or organization "is the guy who sent this message trustworthy?" And they could say "as far as we know, he doesn't have many abuse reports and he's been with us for years" or "he just signed up yesterday" or "this is a trial account, we have no billing information for him" or "we've had several hundred abuse reports in the last 3 hours". And the receiving MTA or recipient could delay, filter, or bounce the message accordingly. Of course, some ISPs would lie, and some would not support the verification protocol. But they'd get reputations for those decisions, and they'd be marginalized.

But do we really want traceability? Or to put it another way, do we really want to put hooks in the mail system that make mass surveillance (by governments, or perhaps even by large companies or unscrupulous ISPs) that much easier?