I. ASRG can not send documents protocols to IETF for
"protocols", they
can only be or something that may become "informational" RFC
Semantics. Whatever. I'll submit it as a private draft.
I agree. I mentioned it for others who were doing drafts.
II. What you're proposing is just like SRV RMX record.
Actually, no. From what I've read on RMX it's not IP based. It's too easy
to falsify anything else.
RMX is ip based like MailFrom, like several other proposals
Your point that DNS does not support it yet is not
appropriate - you expect sites to update software to support
DS draft but not update their dns software...
I means if domain has to put this record in, it might as well
update dns software, not that complex
Tell that to a Microsoft house[1]. Especially a M$ house not upgrading to
Win2003 Server because they don't trust it.
I'v given up on Microsh.t software, especially its dns server portion.
I only expect them to provide client support and on last meeting they
promised to do so if SRV becomes standard, which RFC2782 is (as opposed
to 2052).
III. As I already mentioned multiple times before this is typical
"RMX/Mail-From" style proposal which has the following problems:
1.You only authenticate MAIL FROM header but if "From:" is
forged, that
is what user will see on their MUA, not MAIL FROM.
I'm not interested in the body of the message. Yes, it's easy to falsify
the headers or the envelope. I'm saying these forgeries will be easier to
track for sites using DS.
Again what do you think is seen by more users - "MAIL FROM" header which
is kept on the server and only some clients are able to see it or "From:"
header which everybody assumed is where email came from. As I said before,
all this may do is to have spammers use some obscure domain for MAILFROM
which may not have updated their dns and sysadmin there might not care or
it might be unused domain. But "From:" will remain pointing to msn,
hotmail, yahoo, etc and users will continue to assume it came from there
and report it there. The number of mail bombs will not dimish seriously.
But what will happen is that seeing all this anti-spam filters will begin
to get updated to compare "MAIL-FROM" to "From:" and deny access when they
are not the same and this will lead to hotmail situation and necessity to
whitelist all mailing lists.
I'm also not deluded into thinking this will solve all mail forgeries. I'm
only interested in accountability, and this improves accountability
dramatically for little cost - updating the MTA only and adding a few DNS
records.
2.Breaks mailing lists (all have to be whitelisted - see:
https://www1.ietf.org/mail-archive/working-groups/asrg/currest
/msg00762.html
All mailing lists I subscribe to have either
$listname-request(_at_)list(_dot_)host or
a complicated return envelope for tracking bounces. And I subscribe to
majordomo, listserv, yahoogroups and EMWAC IMS based lists. I'll show you
some log entries from my mail server:
<B0000025417(_at_)srv1(_dot_)fecyk(_dot_)ca> [22/Mar/2003:11:19:37]
209.228.33.247
c007.snv.cp.net
blst-errors(_dot_)300002469(_dot_)805908187(_dot_)844622903(_dot_)008(_dot_)15118(_dot_)0(_at_)boing(_dot_)topica(_dot_)com
mmajor(_at_)pan-am(_dot_)ca
<B0000025514(_at_)srv1(_dot_)fecyk(_dot_)ca> [22/Mar/2003:22:32:04]
209.228.33.246
c007.snv.cp.net
sentto-113989-4623-1048393919-mmajor=Astronomi-con(_dot_)com(_at_)returns(_dot_)groups(_dot_)yahoo(_dot_)
com mmajor(_at_)pan-am(_dot_)ca
<B0000025510(_at_)srv1(_dot_)fecyk(_dot_)ca> [22/Mar/2003:22:03:33]
209.119.0.109
cherry.ease.lsoft.com
owner-SPAM-L(_at_)PEACH(_dot_)EASE(_dot_)LSOFT(_dot_)COM
gordonf(_at_)FECYK(_dot_)CA
<B0000025519(_at_)srv1(_dot_)fecyk(_dot_)ca> [23/Mar/2003:00:51:33]
132.151.1.19
www1.ietf.org asrg-admin(_at_)ietf(_dot_)org gordonf(_at_)pan-am(_dot_)ca
(repeated several times)
<B0000025536(_at_)srv1(_dot_)fecyk(_dot_)ca> [23/Mar/2003:06:33:12]
65.198.151.222
web8.gemini.dice.com jobs(_at_)jobmail(_dot_)dice(_dot_)com
gordonf(_at_)fecyk(_dot_)ca
<B0000025544(_at_)srv1(_dot_)fecyk(_dot_)ca> [23/Mar/2003:08:35:50]
207.195.213.10
poet.minstrel.com owner-nordskogen(_at_)poet(_dot_)minstrel(_dot_)com
gordonf(_at_)fecyk(_dot_)ca
You're telling me that these will break under DS protocol and will have to
be whitelisted? They all have return-paths pointing back to something other
than the original sender, usually the list owner or sometimes a bounce
processor. These would not be blocked under DS.
Yes they (see my answer above). Or if they are not, the system will do
nothing more then change what is listed at mail-from which might still be
forgery.
Mailing lists that don't do that are broken already.
How nice of you to not care about compatibility with existing email
infrastracture.
3.Breaks majority of forwarding configurations. Again you have to
whitelist servers that may forward email to your server. Here the
situation is little worth, because spammers often put the
use the same
domains in their from (ok, used to do it 2 years ago, now
using free
mail services like yahoo or hotmail is more common)
Now these would require changes to MTA software and I freely admitted that.
4.Roaming users (like me on IETF conference) can not send
email directly
and have to authentication with their "home" mail server.
SMTP AUTH, POPAUTH, etc take care of this. It's actually my point - you
should use the resources you're authorized to use. I can roam, hell I've
even had to sit on someone's Charter connection, then Earthlink, then some
local ISP during my last road trip, and I could still send mail through my
own server.
[1] And you're deluded if you say that anyone running MS server software is
not worthy/asking for trouble/a waste of time/etc. Fact is, it's out there
and there isn't thing-one we can do about it.
Well. If people find that if they do not run microsoft software that they
can stop spam, this would be the good reason for them to consider switching
to something better :) Will work a loot better then any other ways to
introduce linux as mainstream os :)
But in reality, no I do think about people running microsoft software, should
be left out, but somehow I suspect any early adapters of any shemes like this
would be the ones who would be willing to update dns and if anythink like
this becomes mainstream by that time microsoft will support srv.
--
PGP key (0x0AFA039E):
<http://www.pan-am.ca/consulting(_at_)pan-am(_dot_)ca(_dot_)asc>
What's a PGP Key? See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg