At 07:40 AM 4/27/03 -0600, Vernon Schryver wrote:
From: Scott Nelson <scott(_at_)spamwolf(_dot_)com>
...
Recognize that the goal for the receiver isn't to find all the
valid IP's for a domain, but rather just the one they are receiving
email from. To answer the question "is IP a.b.c.d an authorized
IP for example.com?", the receiver could check
d.c.b.a.rmx.example.com.
The problem with that is that Hotmail, Yahoo, and most of the rest of
the owners of the domain names that appear in SMTP Mail_From senders
in the majority of spam instruct their DNS servers to always answer
"yes, a.b.c.d authorized" for any and all IP addresses.
Just to clarify, that's a problem with idea of authorized senders,
not the suggestion that IF you attempt to authorize IPs, then you
should do it on a single IP rather than the trying to get the whole range.
I don't understand that.
The paper (draft-danisch-dns-rr-smtp-01.txt) advocates a method for
doing authentication of IP address as valid senders for domains.
My post suggested an improvement (IMO) to the method of
doing authentication of IP address as valid senders for domains.
I was simply trying to make it clear that your complaint applies to
/all/ methods of authentication of IP address as valid senders for
domains, and not just the particular method I suggested.
The way SMTP works currently, authorized sender lists are
only useful to identify email that is very likely to be from the
domain in question, and not useful in identifying email that is not.
In other words, one should use it only to accept an email,
not to reject it. (Or make it more likely to be accepted).
To identify mail that is very likely to be from the domain in question,
you do not need any new protocols, modifications to existing protocols,
or new conventions such as DNS RRs. You need only compare the PTR RR
for the SMTP client with the envelope sender domain. That comparision
won't be completely accurate, but it will be more accurate than any
new scheme.
PTR RR for the SMTP client?
Now I do not understand.
I think the value of being able to whitelist an email is not as
great as the problem of people who incorrectly chose to
reject email for failure, but I'm neither sure nor certain.
Perhaps if it was limited to system messages,
or certain privileged accounts like postmaster or mailer_daemon
then it might have greater value.
That would be an interesting idea, except that the address of that
sort that is most commonly forged in spam lacks a domain to check or
compare (as well as a user name). Remember that bounces are supposed
to come from "<>". See section 6.1 of RFC 2821.
Maybe we should change that.
That's one of the purposes of this group isn't? -
To suggest changes to SMTP that would make it more resistant to spam?
Scott Nelson <scott(_at_)spamwolf(_dot_)com>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg