[Asrg] a "baby steps" proposal.

In and around today's various crises, I found myself pondering ways tomaybe build a solution to part of the spam problem. Without pretendingthis is a formal proposal, or even fully fleshed out, here is anapproach that came to me -- consider it a talking point to get thingsstarted.

I was thinking of ways to try to slow down or block the issue of stolendomains and forged return addresses, and looked ways to allow domainsto "take back" their domains. And came up with, conceptually, a newflavor of the ident server.

Okay, you get a piece of email from fluxmonger(_at_)yahoo(_dot_)com(_dot_) Should youaccept it? right now, there's no way to query yahoo and ask, notreasonably.

To avoid making changes to existing protocols, instead of modifying DNSfor new fields, I thought I'd do it using a well-known host name (whichalso allows a large site to scale with load balancers or perhaps roundrobins, while allowing small sites to simply virtual host it to theirmachine). Call it, say, hostauth.yahoo.com (if mail is fromlists.apple.com, say, the authorizer is hostauth.lists.apple.com;through aliasing, it can all be tied to single server or singleadministration if you want). for sake of simplicity, I'll assign itport 5555.

As the site trying to decide on accepting, you can query that servertwo questions: is "fluxmonger(_at_)yahoo(_dot_)com" authorized to send e-mail fromyour domain? and "is this IP address authorized to send e-mail for yourdomain"?

Participation is optional; lack of a server means you don't have theinformation to work with (I assume some users will choose to make lackof a server a deciding action; maybe some day). It allows a site toexplicitly deny mail from non-existant/forged accounts. It allows sitesto start restricting mail sent from non-local locations (the issue ofthe remote user using an accessible SMTP host is an issue, as arebackup MXes, among things I've thought of).

For instance, if you query hostauth.plaidworks.com, it'll tell you thatchuqui(_at_)plaidworks(_dot_)com can send email, but bin(_at_)plaidworks(_dot_)com cannot.Neither can fluxmonger(_at_)apple(_dot_)com(_dot_) Since I send email as plaidworks viamy work's SMTP while I'm at work, it'd not only tell you that64.81.78.180 can send e-mail as plaidworks.com, but so can17.254.0.152. If you got email from 216.139.12.17, my server would tellyou no. the IP ranges are probably tri-state: there will be addresseswhitelisted by that server, addresses potentially in the "no opinionstate", and addresses blacklisted (things that admin has found to besources of spam forged with that domain's addresses, or perhapsgenerated out of rbls). If I were sending mail using my@employers.domain address using y home SMTP server, whether that'd bein the "no opinion" or "blacklist" would be based on the policy of thatdomain owner, which I think is fair, even if it might inconvenience meat times.

Data can be cached for some period of time. Once you know my authserver approves that address and/or IP address, you don't need to queryevery time you see it; it's safe to assume it's going to stay okay.rejections are more problematic, maybe a shorter cache for them.

What's in it for a domain? The ability to better control who's usingthat domain, especially those trying to use it without permission. Thereduced problems with bounces from forged headers, time spent by adminsdealing with misdirected abuse mail, etc, etc -- all can help offsetthe cost of creating and maintaining this auth server. It requires nonew protocols, no massive outlays of engineering or "stuff", no massivere-engineering of the universe; it's effectively an RBL built andmaintained by a domain, about that domain, advertised via a knownhost/known port mechanism.

On the client side: it can be built into anti-spam tools similar toexisting RBLs; adding support isn't a major issue. Decisions on how touse the data can be administered how a domain wants them to be, it's alocal decision.

A nice side aspect of this is that bogus auth servers can beblacklisted. If you catch one lying to you, the receiving side cansimply flag all mail being authed through that server as bogus, so oncea server is found to be spam friendly, it gives you a way to deal withall of the spam authed by that server. spammers can work around that,of course, but it's one more thing for them to have to deal with, andthe auth server has to be in DNS, so it's harder to hide than usingopen relays or open proxies. It's another tool to force a spammer tostand still long enough to find where he is, not where his mail iscoming from.

basically, it's something that's both an ident server (on a domainbasis) and an RBL. It'd have a very simple protocol, and should bequite fast. for most sites, a flat file configuration ought to suffice;for larger organizations, it'll be more complex to keep all of the datastraight, but it's all engineering, not imagineering).


risks/issues:

any server that does a yes/no on "is this a good address" risks leakingthose good addresses to spammers.

the 'accept/reject' decision effectively has to happen where the mailenters your MX relays, or you risk losing that IP address. the legaluser part can be done anywhere.

For organizations with lots of sub-domains that send mail, it adds somecomplexity to their DNS administration. I don't consider that a hugeissue.

to me, at first glance, it seems like it's easily implementable,doesn't require re-engineering (beyond tweaking sendmail.cf orequivalent), and the only significant risk I see is the exposure riskabove, but it can be engineered to a tolerable level fairly easilythrough fallback delays or whatever. If seems to give domains bettercontrol (not perfect, better -- the issue of "this is a legal addresson our domain, BUT THAT ISN'T HIM isn't resolved at all, unless you cannail it with the IP lookup). Basically, it solves one small problem,without (I think) creating newer ones of any great size.


Thoughts?



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg