From: asrg-admin(_at_)ietf(_dot_)org [mailto:asrg-admin(_at_)ietf(_dot_)org]
On
Behalf Of Vernon Schryver
Sent: Tuesday, March 04, 2003 7:09 PM
That is wrong if asked and answered honestly. Of course
"insecurity" and "forgeability" have not been design goals,
but "receiving mail from strangers" has been a goal.
That may have been the goal twenty years ago, but today the goal
must be reformulated, perhaps as "receiving personal email
from strangers must be possible for those who wish to receive
such mail"
Contrary to your implicit claim, sending from one IP address
with a different return IP address has always been a design
goal. Sending from one domain name with a return address in
another domain has always been an explicit design goal at
least as far as the Reply-To header is concerned. That the
Sender header exists, suggests that differing SMTP client
reverse DNS domaon name and Mail_From values has been a goal.
Ultimately, requirements translate into user requirements, not
some technical point. Phrasing them technically as above
tends to obscure the real requirements.
So, for example, the real requirement is to be able to send
mail from one authorized address with a return address being
another authorized address, "authorized" being the operative
word. Or it's the ability to run mailing lists with
reasonable "From" addresses, and a choice (at the list server
level) between having the default reply go back to the sender
or to the list.
I do not believe that it was ever a requirement to have
the ability to send an email with a return address one had
no right to use, and even if it were, it is not a requirement
now. Requirements phrased in terms of IP addresses are only
justifiable when rephrased and analyzed this way.
Requiring that the reverse DNS domain name matches the
Mail_From domain name is as wrong aad silly as it would be to
requirer that when you send a picture postcard while on
vacation you use your current hotel as your return address.
Neither requirement would reduce fraud, spam, or anything
else that is bad.
While that's often done, the real requirement is that the
sending computer have the authorization to send on behalf
of the purported (i.e. mail_from) domain -- or perhaps
it needs to be at the user level or some other granularity).
However, let me observe that a significant proportion of the
spam I receive can be rejected on the reverse DNS basis, while
only a tiny proportion of legitimate mail would result in a false
positive. So, while it's far from perfect, I don't agree
with your conclusion that it doesn't reduce spam, based on
my own personal empirical evidence.
Gary
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg