ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Ban the bounce; improved challenge-response systems

2003-04-06 18:38:26
from [J C Lawrence] [Permanent Link] 
On 06 Apr 2003 19:33:53 -0500 
wayne  <wayne(_at_)midwestcs(_dot_)com> wrote:

In <20030406042307(_dot_)GC994(_at_)m1800> waltdnes(_at_)waltdnes(_dot_)org 
writes:



Bounce messages are a relic from a kinder/gentler internet where
spammers didn't exist, and didn't forge innocent 3rd-parties' email
addresses into the "From:" or "Reply-To:" headers.  Maybe it's time
to depracate bounce messages.


Minor note:  bounces go to the Return-Path in the envelope, not to From:
or Reply-To:.


While I don't believe we can outright ban bounces, I do think it is a
very good idea to detect errors as early as possible.


<nods eagerly>


The receiving MTA should always try hard to make the sending MTA
generate the bounce via the 5xx reject codes.  


Most MTAs do this as it is easier, faster, and requires less resources.
The problem, as always, is insufficient knowledge.


It should also try to verify that the MAIL FROM address is valid
before it accepts the email so that if a bounce has to be generated
later, it can be.  Exim can verify not only the MAIL FROM, but also
the From:, Reply-To: and Sender: headers to try and cut down on bad
bounces.


Yeah, Exim is rather notably good in this regard.  


In theory, the sender MTA could and probably should also verify these
things.  Again, the earlier the errors are detected, the better.  Of
course, the receiving MTA probably can't trust that the sending MTA
will have done these checks, but checking them twice won't hurt.


This was one of the core ideas I tried to put in the forward chained
Received: header proposal.  Every node, at the time of receipt and later
can check and verify the chain.  They can do the cheap check and only
verify that the data as presented is internally consistent, or they can
verify the stated keys via DNS to authenticate their check of internal
consistency.  

Nobody has to trust, but everybody can not only distrust if they want
to, but if they don't bother checking, a later node can still isolate at
what point the trust chain was broken.

-- 
J C Lawrence                
---------(*)                Satan, oscillate my metallic sonatas. 
claw(_at_)kanga(_dot_)nu               He lived as a devil, eh?           
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Asrg] Whitelisting on Message-ID (Was Turing Test ...), Hallam-Baker, Phillip
Next by Date:  Re: [Asrg] Ban the bounce; improved challenge-response systems, Kee Hinckley
Previous by Thread:  Re: [Asrg] Ban the bounce; improved challenge-response systems, wayne
Next by Thread:  [Asrg] Why Am I Getting All This Spam? -- Unsolicited Commercial E-mail Research Six Month Report, J C Lawrence
Indexes:  [Date] [Thread] [Top] [All Lists]