ietf-asrg
[Top] [All Lists]

Re: [Asrg] Ban the bounce; improved challenge-response systems

2003-04-08 18:32:16
On Tue, Apr 08, 2003 at 12:43:48PM -0700, Brad Templeton wrote

Strictly speaking, a challenge/response tool does not send a "bounce"
or error message.  It sends a challenge, which is a new piece of
mail, and does not indicate the earlier message failed.

  So we've got a different set of angels dancing on the pinhead.

A proper c/r tool is holding the mail in a spool, to be delivered
once the response comes.

  Can you spell D-O-S A-t-t-a-c-k ?

A C/R system MUST NOT challenge mailing list mail, for example,
but a MTA SHOULD send bounces/error reports on mailing list mail.

Challenges go to the author of the mail, as per the From/Reply-to,
while Bounces go to the envelope-from sender of the messages.

  A whitelist needs only to know one (or more) of...
  - sending machine name(s)
  - envelope sender (MAIL FROM:)
  - if you're generous, an entire domain

  This should be simple enough to keep accessable to (not necessarily
physically on) the internet-facing MTA.  It'll have a public IP address
and (as seen from the inside of the firewall) an RFC1918 address, let's
say 192.168.1.1.

  Howsabout the following...

  Internet-facing MTA receives TCP handshake, MAIL FROM: and RCPT:.
  - It sends those data to a MySQL server at 192.168.1.2, which can
    respond to the MTA with any of the following, which the MTA then
    passes on to the sending MTA...
    250 OK
    450 Recipient's inbox is full. Try again later.
    550 Go away... and don't come back.
    950 See http://www.<destination ISP>.com/~userID/bypass.html for
temporary whitelisting info.

  OK, I pulled "950" out of a hat.  If it's already in use, assume
another number.  The sending MTA gets a 950 "challenge" (sorta like a
550, but without the "Don't come back" attitude).  The sending MTA
passes this on, eventually to the sender.  Mailing lists will have to
list on their web page the 3 items listed above.  If the list uses VERP,
its webpage should have a short form that accepts your email address and
generates the corresponding VERP, so the user knows what MAIL FROM: to
whitelist.  The change required to SMTP by this is a new set of response
codes.

-- 
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
An infinite number of monkeys pounding away on keyboards will
eventually produce a report showing that Windows is more secure,
and has a lower TCO, than linux.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>