-----Original Message-----
From: Kee Hinckley [mailto:nazgul(_at_)somewhere(_dot_)com]
Sent: Tuesday, March 11, 2003 1:04 PM
To: Jason Hihn
Cc: Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu; ASRG
Subject: RE: [Asrg] Several Observations and a solution that addresses
them all
At 12:08 PM -0500 3/11/03, Jason Hihn wrote:
Dispatch is the heart of it all. It will pass on the request to sub mail
servers if it cannot be determined on this one. It also makes
sure that the
connection comes from a recenelty sent-to domain to keep spammers from
asking for validations of email addrs out of the blue.
What you said was that it was "trivial".
Indeed. If you don't consider that trivial... ;-)
What you have described requires that the primary and secondary MXs
for a domain all run custom software which connects to the
centralized server that sends all email for a domain, and that that
server keep track of all outbound mail, who it came from and where it
went. And it assumes by convention that nobody from that domain is
allowed to send email via any other server.
You need not track from who to who, just from where to where. Or better yet,
make it configurable. Let the UE suffer higher spam rates because of their
privacy laws.. (Ironic don't you think?)
There's also another little problem.
MAIL FROM:<jhihn(_at_)paytimepayroll(_dot_)com>
RCPT TO:<nazgul(_at_)somewhere(_dot_)com>
Now I go back to your server and say, "is jhihn(_at_)paytimepayroll(_dot_)com
a
valid address" and your server says, "what the hell are you talking
about, I've gotten hundreds of queries about this person, but they
did not send mail to nazgul(_at_)somewhere(_dot_)com, they only sent email to
asrg(_at_)ietf(_dot_)org(_dot_) Must be a spammer. Not valid."
Exactly. You have no rights to my info if I did not send to you. Don't speak
until spoken to. If I sent you mail then that means I don't mind you knowing
who I am. I don't see how this is incorrect or undesired behavior.
So if you want this to work you need to extend the SMTP protocol.
Yes.
There isn't enough information in the transport to uniquely identify
a message.
Nor would I want there to be. Assume that we do have spammers in the new
system. I'd still like to remain at large to them. By saying "I got this
message from you, addressed to me" allows covert software to log the unique
validation request. Assuming we only validate emails we get (as opposed to
those we don't get) we'd expose our email address. Where as if you say this
is "yahoo.com(by reverse lookup), I want to verify blackrider(_at_)yourdomain"
the spammer has to slow things down to the point that there is only one
outstanding address to his request, per domain. It gets even hairer for the
spammer if yahoo.com and another domain cooperate, and the requests can come
from earthlink.net too. Get enough cooperation and any lonk od overlap
really does a number on the spammer. Then there can ever only be one
outstanding address at once. This would require the validation server to be
able to ask yahoo.com who are you cooperating with (or present it at
validation request time)
But in any case, it's clear that the operative word is *not* "trivial".
Lets define trival. Anything that can be solved in polynomial time is
trivial.
Our techniques are lexography and syntax and some elemenaty structure
navigation. All polynomially complete, and therefor trivial ;-)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg