As promised I'm sending you notes on callback tranmission. This notes
are similar format as verification notes I sent before and in fact I had
them done together.
Callback transmission is an interesting idea, but consider:
I never said its "best" of my ideas. It just something that I considered
when evaluating various verification schemes and I actually saw some more
problems with callback then just the ones you noticed or the ones I included
in the notes. I ended up selecting message tracking as the one I'd write
actual draft on. But callback can still be usefull, I may come back to it.
1 - NastySpammer sends millions of connections from thousands of 0wned hosts,
and suddenly poor victim gets a DDoS from all the callbacks from hosts
attempting to receive the purported mail.
Which proposal was this for #2 or #4? If #2 (callback to server listed in
EHLO), the connection must still be maintained with the original source
that is making transmission so they'll be found pretty quickly by network
engineers. I mean DoS is still possible but it requires the same amount of
resource that they can otherwise already do from those same hosts to
attack site directly, so it does not change the picture.
If its #4 (callback to domain listed in MAIL FROM command), I see your
point since connection is made after original server closes it. But
change to keep connection open just like in #2 can also be made.
2 - How does this fix open SMTP relays?
I meant existing ones... but that probably does not matter since they'll
not support new system. But it certainly does get rid of proxying.
An open SMTP relay will presumably
set itself as the host to call back. In fact, how does this interoperate
with SMTP relaying?
Since this is per-tranmission technology it'll require each relay to do
callback.
What was not included is another is version of callback proposal 4 which
does it differently:
If email is received with MAIL FROM and CALLBACK and email would need to
go futher (be relayed), this email server (relay) will try to call the next
server that it'd otherwise going to send email to and if next server
support callback, it'd be make a connection and provide same commands
(RCPT TO, MAIL FROM with CALLBACK) as the original call to this server
and in this case the actual callback has to be done by that next or final
destination server.
In the above the relay just passes on origin information and last server
in chain that was going to deliver email does callback to pick the actual
email data. This makes open relay effectively useless as far as spammer is
concerned.
----
William Leibzon
Elan Communications Inc.
william(_at_)elan(_dot_)net
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg