That is mistaken. Spammers can continue to use Hotmail and Yahoo drop
boxes and to forge AOL's domain name while abusing open proxies on
large dynamically addressed cable-modem and DSL networks that have at
least one AOL, Hotmail, or Yahoo user. Because those networks are
dynamically addressed, an ISP with users on networks that allows third
party sending (including AOL, Yahoo, and Hotmail) must set their RMX
'bits' to say "authorized" for all addresses in such a network. Thus,
the hardest to filter spam can have good RMX bits.
Vernon repeatedly makes this claim, and I haven't a clue why (unless he's
forgotten the distinction between envelope headers and headers in the
content).
The users AOL, Hotnail, and so on want to keep are mostly not particularly
computer literate, and they probably don't know what an envelope From
address is. The see the content From: header, of course, and may even use
the content ReplyTo header, but they almost certainly don't mind in the
least what the envelope From says. So it would be perfectly reasonable for
the envelope From to contain an address in the domain from which the mail is
sent. This would do no harm at all to AOL, Hotmail, etc. and wouldn't
require any change in their business model. It would probably do them a lot
of good, since it's going to reduce the number of bounces they receive for
mail they didn't originate, and may even save their abuse desks some pain.
So the claim that AOL etc would have any desire or need to authorise any
addresses other than their own MTAs is blatant nonsense.
There is of course an issue with creating different envelope From headers on
your portable depending on which ISP you are using (and hence is assigning
your IP address) but I don't think it's insurmountable.
What AOL etc. would have trouble with is a system which required the
envelope From header to matchthe content From header, but even there they
coukd maybe educate their users to insert a replyto header.
The only fix is to prohibit sending from any mail systems but those
of the ISP that owns the IP address. However, if you want to enforce
that rule, you don't need any new RMX or other bits. You need only
compare reverse DNS and envelope sender domain names. (Yes, reverse
DNS can be faked, but that can be reasonably reliably detected by
doing an extra forward lookup of the reverse name.) (Yes, in some
cases you must do a little more than just comparing the PTR and A RRs,
such as fetching all PTR RRs or all A RRs for the PTR name.)
That doen't work unless you are the first MTA in the chain, since you don't
have the appropriate IP address (you have the address of the preceding MTA).
Assuming no-ons uing open relays, it might be possible to look for
relationships between the owner of the preceding MTA's IP address and
ownership of the IPA address reached by a forward lookup of teh envelope
from addresses domain, but that would have to use whois as well as DNS and
would be quite complicated.
(This has nothing to do with my claim that to keep their users, Yahoo,
Hotmail, and AOL must mark every IP address on the net as "authorized.")
Quite so. Unlike that claim, the idea off using IP addresses insteadof RMX
is not blatant nonsense.
Tom
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg