ietf-asrg
[Top] [All Lists]

RE: [Asrg] Update to DS Protocol draft

2003-03-23 16:31:22
I. ASRG can not send documents protocols to IETF for
"protocols", they
can only be or something that may become "informational" RFC

Semantics.  Whatever.  I'll submit it as a private draft.
I agree. I mentioned it for others who were doing drafts.
 
II. What you're proposing is just like SRV RMX record.

Actually, no.  From what I've read on RMX it's not IP based.  It's too easy
to falsify anything else.
RMX is ip based like MailFrom, like several other proposals

Your point that DNS does not support it yet is not
appropriate - you expect sites to update software to support
DS draft but not update their dns software...
I means if domain has to put  this record in, it might as well
update dns software, not that complex

Tell that to a Microsoft house[1].  Especially a M$ house not upgrading to
Win2003 Server because they don't trust it.
I'v given up on Microsh.t software, especially its dns server portion.
I only expect them to provide client support and on last meeting they 
promised to do so if SRV becomes standard, which RFC2782 is (as opposed 
to 2052).

III. As I already mentioned multiple times before this is typical
"RMX/Mail-From" style proposal which has the following problems:
 1.You only authenticate MAIL FROM header but if "From:" is
forged, that
   is what user will see on their MUA, not MAIL FROM.

I'm not interested in the body of the message.  Yes, it's easy to falsify
the headers or the envelope.  I'm saying these forgeries will be easier to
track for sites using DS.
Again what do you think is seen by more users - "MAIL FROM" header which 
is kept on the server and only some clients are able to see it or "From:" 
header which everybody assumed is where email came from. As I said before, 
all this may do is to have spammers use some obscure domain for MAILFROM 
which may not have updated their dns and sysadmin there might not care or 
it might be unused domain. But "From:" will remain pointing to msn, 
hotmail, yahoo, etc and users will continue to assume it came from there 
and report it there. The number of mail bombs will not dimish seriously. 

But what will happen is that seeing all this anti-spam filters will begin 
to get updated to compare "MAIL-FROM" to "From:" and deny access when they 
are not the same and this will lead to hotmail situation and necessity to 
whitelist all mailing lists.

I'm also not deluded into thinking this will solve all mail forgeries.  I'm
only interested in accountability, and this improves accountability
dramatically for little cost - updating the MTA only and adding a few DNS
records.

 2.Breaks mailing lists (all have to be whitelisted - see:

https://www1.ietf.org/mail-archive/working-groups/asrg/currest
/msg00762.html

All mailing lists I subscribe to have either 
$listname-request(_at_)list(_dot_)host or
a complicated return envelope for tracking bounces.  And I subscribe to
majordomo, listserv, yahoogroups and EMWAC IMS based lists.  I'll show you
some log entries from my mail server:

<B0000025417(_at_)srv1(_dot_)fecyk(_dot_)ca> [22/Mar/2003:11:19:37] 
209.228.33.247
c007.snv.cp.net
blst-errors(_dot_)300002469(_dot_)805908187(_dot_)844622903(_dot_)008(_dot_)15118(_dot_)0(_at_)boing(_dot_)topica(_dot_)com
mmajor(_at_)pan-am(_dot_)ca
<B0000025514(_at_)srv1(_dot_)fecyk(_dot_)ca> [22/Mar/2003:22:32:04] 
209.228.33.246
c007.snv.cp.net
sentto-113989-4623-1048393919-mmajor=Astronomi-con(_dot_)com(_at_)returns(_dot_)groups(_dot_)yahoo(_dot_)
com mmajor(_at_)pan-am(_dot_)ca
<B0000025510(_at_)srv1(_dot_)fecyk(_dot_)ca> [22/Mar/2003:22:03:33] 
209.119.0.109
cherry.ease.lsoft.com 
owner-SPAM-L(_at_)PEACH(_dot_)EASE(_dot_)LSOFT(_dot_)COM 
gordonf(_at_)FECYK(_dot_)CA
<B0000025519(_at_)srv1(_dot_)fecyk(_dot_)ca> [23/Mar/2003:00:51:33] 
132.151.1.19
www1.ietf.org asrg-admin(_at_)ietf(_dot_)org gordonf(_at_)pan-am(_dot_)ca
(repeated several times)
<B0000025536(_at_)srv1(_dot_)fecyk(_dot_)ca> [23/Mar/2003:06:33:12] 
65.198.151.222
web8.gemini.dice.com jobs(_at_)jobmail(_dot_)dice(_dot_)com 
gordonf(_at_)fecyk(_dot_)ca
<B0000025544(_at_)srv1(_dot_)fecyk(_dot_)ca> [23/Mar/2003:08:35:50] 
207.195.213.10
poet.minstrel.com owner-nordskogen(_at_)poet(_dot_)minstrel(_dot_)com 
gordonf(_at_)fecyk(_dot_)ca

You're telling me that these will break under DS protocol and will have to
be whitelisted?  They all have return-paths pointing back to something other
than the original sender, usually the list owner or sometimes a bounce
processor.  These would not be blocked under DS.
Yes they  (see my answer above). Or if they are not, the system will do 
nothing more then change what is listed at mail-from which might still be 
forgery. 

Mailing lists that don't do that are broken already.
How nice of you to not care about compatibility with existing email 
infrastracture.
 
 3.Breaks majority of forwarding configurations. Again you have to
   whitelist servers that may forward email to your server. Here the
   situation is little worth, because spammers often put the
use the same
   domains in their from (ok, used to do it 2 years ago, now
using free
   mail services like yahoo or hotmail is more common)

Now these would require changes to MTA software and I freely admitted that.

 4.Roaming users (like me on IETF conference) can not send
email directly
   and have to authentication with their "home" mail server.

SMTP AUTH, POPAUTH, etc take care of this.  It's actually my point - you
should use the resources you're authorized to use.  I can roam, hell I've
even had to sit on someone's Charter connection, then Earthlink, then some
local ISP during my last road trip, and I could still send mail through my
own server.

[1] And you're deluded if you say that anyone running MS server software is
not worthy/asking for trouble/a waste of time/etc.  Fact is, it's out there
and there isn't thing-one we can do about it.
Well. If people find that if they do not run microsoft software that they 
can stop spam, this would be the good reason for them to consider switching
to something better :) Will work a loot better then any other ways to 
introduce linux as mainstream os :)

But in reality, no I do think about people running microsoft software, should
be left out, but somehow I suspect any early adapters of any shemes like this
would be the ones who would be willing to update dns and if anythink like 
this becomes mainstream by that time microsoft will support srv.
 
--
PGP key (0x0AFA039E): 
<http://www.pan-am.ca/consulting(_at_)pan-am(_dot_)ca(_dot_)asc>
What's a PGP Key?  See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg