ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Requirements for source tracking

2003-03-05 11:24:17
from [Kee Hinckley] [Permanent Link] 
At 12:39 AM -0800 3/5/03, Raymie Stata wrote:

Another dimension of the design space is the use of cryptographic
signatures versus DNS-mappings to authenticate domains and/or MTAs.
Rather than debate this issue in the context of specific proposals, it
may be worthwhile debating it at a more abstract level.

I personally favor cryptographic approaches:
I've just joined, and I did skim the archives first, but I may have missed this. What exactly is meant by DNS-mapping? Only allowing outbound mail with a given from domain from within that domain? I think that's clearly unworkable given how many people send mail "from" their primary address while using a secondary. (A situation aggravated by port 25 blocking and, more recently, port 25 hijacking, where the connection is transparently routed to the ISP's server.)
Would you see cryptographic domain verification as being something where (for example) the sending client or initial MTA would verify the from domain by using some embedded cryptographic information in the message and comparing it to information retrieved from the domain server for that domain?
Note that not all spammers use fake domains. We ran into one who was generating new domain names every week and using those. We were finally able to spot his spam reliably from the headers, but he didn't fail any domain forgery tests.
One issue with verification techniques (and this comes from someone who normally signs all of his email--just waiting for the PGP Eudora plugin to come back), is that the next consequence will be trojans and viruses that steal the keys. Any system in this space should have a very simple mechanism for canceling and reissuing keys. Poor ease of use has always been a major factor in keeping signed email from wide deployment. (As attested by my previous comment about the Eudora plugin :-). 
--
Kee Hinckley
http://www.puremessaging.com/        Junk-Free Email Filtering
http://commons.somewhere.com/buzz/   Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Sender pays vs the third world, Kee Hinckley
Next by Date:  Re: [Asrg] Spam detection system proposal, Kee Hinckley
Previous by Thread:  Re: [Asrg] desirable characteristics of source tracking, Jim Youll
Next by Thread:  [Asrg] Sabotage?, Hadmut Danisch
Indexes:  [Date] [Thread] [Top] [All Lists]