From: Mike Rubel <asrg(_at_)mikerubel(_dot_)org>
...
I reviewed the article at www.monkeys.com, and while I agree that their
approach is reasonable given that RMX records do not yet exist, I am
believe the existence of RMX would improve it.
"Improved" and "better" are not as simple as Madison Ave would have
us think. The ancient hack of comparing reverse DNS names and envelope
sender names has disadvantages, but it has a compelling advantage.
As you can see from Paul Vixie's ID (or draft ID if it was never
published), RMX notions are at least 5 years old, but are still usable.
During those 5 years and before, the reverse DNS hack has blocked a
lot of spam.
... Also, theirs is a hack,
albeit in the best sense of the word.
All notions of "RMX" are also at best hacks. As you say, that's not
necessarily a bad thing.
A more general solution that
treats all domains--not just the big free ones--would seem to be
preferred.
Perhaps so, if you are not worried about things like deployment and
you assume things we disagree about, such as Microsoft's view.
...
I cannot speak for these bodies. Assuming they place a very high utility
threshold for new RR's, as you imply and seems reasonable, we must generate
a strong case for them. That's why I wrote an article called "The Case for
RMX Records". But if new RR's are an absolute block, we can take Fecyk's or
Vixie's proposal. These have other drawbacks, but not that one.
In some theories, it is easy to define and deploy a new RR. In practice,
things are otherwise. Someone mentioned the SRV RR. It is years old,
addresses a more compelling need, but still does not have the coverage
that an anti-spam RR would need.
- if it does get standardized, it will not be widely implemented in MTAs.
I believe we have shown that strong incentives exist, both for senders
and receivers, to implement RMX,
On the contrary, no one has shown that sufficently strong incentives
exist for the domain owners that currently matter most. Only if you
ignore all of evidence that major free providers want their users to
be able send from anywhere and take the contrary view that is completely
unsupported by evidence can one say that Hotmail, Yahoo, etc. have
those strong incentives.
and that RMX is far simpler to
implement than many of the other proposals, which involve more
significant and fundamental changes to the mail protocol.
That other proposals have even worse prospects is not much of a
selling point to those who want to affect spam more than get their
names in the RFC index.
- it will not be installed by the organizations you need to install
it, including Hotmail, AOL, and Microsoft, because they will not
change their business models.
RMX would seem to allow them to strengthen their current business models
(webmail and/or email hosting service) by preventing abuse. These
providers also have a strong incentive to implement RMX.
Please offer some evidence of that assertion. What you might do if
you were in charge those outfits is not convincing. Again, for example
and for the umpteenth time, if those outfits don't want their users
to send from anywhere, why don't they prohibit that in their terms of
service, not to mention terminating accounts for doing it?
I surmise from Earthlink's new challenge-response program that major
providers are willing to try significant new steps to deal with their
spam problems. RMX seems far less disruptive a change than
challenge-response.
No, Earthlink's challenge-response system disrupts things only for
individual users who turn on challenge-responses, while RMX schemes disrupt
things for the many users currently sending Earthlink mail from other than
Earthlink MTAs as well as for the people running those Earthlink MTAs.
I'm beginning to get the impression that RMX proponents are egregiously
unaware of how SMTP works and is commonly used.
Have I said something specific which gave you that impression?
I've been working very hard to go against my grain and avoid getting
personal. Please don't undermine my efforts. Without naming names,
it seems that some people might benefit from checking instead of merely
asserting
- how many legitimate mail messages would fail any sort of RMX test.
- how many ISPs want to alienate the users who send those legitimate
messages.
- what DNS lookups, including reverse, are already done by SMTP servers.
- how zone files are maintained, and what can be in them (e.g. how
many PTR lines per IP address)
I don't know everything about anything including about SMTP and DNS,
so I think there's nothing wrong with unaffected ignorance. However,
refusing to make easy checks such as asking Google before making
assertions, inventing sections of RFCs out of whole cloth, and reacting
badly to having been caught in error are disreputable.
So why haven't you long since implemented the standard checks to
prevent what you call "spoofed" free provider mail?
It would result in false positives in a way that RMX (by virtue of being
voluntary on the part of the sender) would not.
That is wrong unless you assume things are true that I understand you
think are false. If you believe that little legitimate mail comes from
SMTP clients not run by Yahoo and Hotmail but with Yahoo or Hotmail
sending domain names, then there would be few false positives with that
hack applied to the couple dozen Hotmail and Yahoo domain names.
Note that the point of RMX schemes is that they are not voluntary on
the part of the sender of the mail but only on the part of the owner
of the sender domain name.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg