ietf-asrg
[Top] [All Lists]

RE: [Asrg] Re: RMX Records

2003-03-04 18:57:26
From: asrg-admin(_at_)ietf(_dot_)org [mailto:asrg-admin(_at_)ietf(_dot_)org] 
On 
Behalf Of Vernon Schryver
Sent: Tuesday, March 04, 2003 7:09 PM

That is wrong if asked and answered honestly.  Of course 
"insecurity" and "forgeability" have not been design goals, 
but "receiving mail from strangers" has been a goal.

That may have been the goal twenty years ago, but today the goal
must be reformulated, perhaps as "receiving personal email
from strangers must be possible for those who wish to receive
such mail"

Contrary to your implicit claim, sending from one IP address 
with a different return IP address has always been a design 
goal.  Sending from one domain name with a return address in 
another domain has always been an explicit design goal at 
least as far as the Reply-To header is concerned.  That the 
Sender header exists, suggests that differing SMTP client 
reverse DNS domaon name and Mail_From values has been a goal. 

Ultimately, requirements translate into user requirements, not
some technical point.  Phrasing them technically as above
tends to obscure the real requirements.

So, for example, the real requirement is to be able to send
mail from one authorized address with a return address being
another authorized address, "authorized" being the operative
word.  Or it's the ability to run mailing lists with
reasonable "From" addresses, and a choice (at the list server 
level) between having the default reply go back to the sender
or to the list.

I do not believe that it was ever a requirement to have
the ability to send an email with a return address one had
no right to use, and even if it were, it is not a requirement
now.  Requirements phrased in terms of IP addresses are only
justifiable when rephrased and analyzed this way.

Requiring that the reverse DNS domain name matches the 
Mail_From domain name is as wrong aad silly as it would be to 
requirer that when you send a picture postcard while on 
vacation you use your current hotel as your return address.  
Neither requirement would reduce fraud, spam, or anything 
else that is bad.
 
While that's often done, the real requirement is that the 
sending computer have the authorization to send on behalf
of the purported (i.e. mail_from) domain  -- or perhaps 
it needs to be at the user level or some other granularity).

However, let me observe that a significant proportion of the
spam I receive can be rejected on the reverse DNS basis, while 
only a tiny proportion of legitimate mail would result in a false
positive.  So, while it's far from perfect, I don't agree
with your conclusion that it doesn't reduce spam, based on 
my own personal empirical evidence.

Gary

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg