ietf-asrg
[Top] [All Lists]

Re: [Asrg] Some data on the validity of MAIL FROM addresses

2003-05-20 15:43:43
From: Michael Rubel <asrg(_at_)mikerubel(_dot_)org>

...
Here's a better example.  Should mail that contains the string "sex" in the
subject line be Rejected during the smtp session?  Or does it make more
sense to carry that little piece of information through to spamassassin or a
Bayesian filter, where it can be combined with a lot of other information
about the message and recipient to make an intelligent decision?

That suggests the underlying assumption behind saying that SMTP status
codes are obsolete.  In fact, SpamAssassin is like every other filter
at least in principle.  SpamAssassin is often run during the SMTP
session using a sendmail milter hook.  If SpamAssassin computes a
spamish score for the message, the message can be rejected.  See
http://www.google.com/search?q=spamassassin+milter

Providing immediate Reject allows the spammer to keep trying until he's
sure the message has gotten through, and it allows him to learn about the
filtering behavior of your system or yourself.  

No, you hide no information by giving it with a DSN instead of an SMTP
status response.  If you don't want to tell the spammer that the
message was detected as spam, then delaying the detection is irrelevant.
You won't be sending either a bounce or a negative SMTP status response.


...
If you send a blatently spam-like message to a mail host, do you expect to 
receive a bounce if it is not delivered?

What is a blatently spam-like message and in whose eyes?  If you
send a message that you don't think is blatently spam-like, don't
you expect an indication that it was rejected?

If you send what I define a blatently spam-like message, you'll receive
250 OK SMTP status codes and no DSN.  That violates offical as well
as some common sense BCPs, but its necessary to protect spam traps.


...
Because "best practice" dictates that all domains would be run by
responsible admins, and that they would run ident. 

I think that's wrong.  I think no BCP says anything good about IDENT.
If I'm wrong, please point out the RFC (whether in the BCP index or
not, other than ) that strongly recommends IDENT.


                                                    The reasons people
aren't using ident are much the same: it leaks information about their
systems, but doesn't really buy them anything on the Internet, because not
everyone else is using it.

I think that's half wrong.  IDENT need not leak anything, but it is
of very little use.  (An IDENT answer has meaning only in the context
of the IDENT server's logs, user database, and so forth.  Thus, contrary
to RFC 1413, every IDENT answer could be purely synthetic and related
to the real answer only by a log entry on the server.)


If we really think that BCP30 is so hopelessly outdated, wouldn't this be a
good place to start rewriting it.

I'm not familiar with BCP30...

I don't want to insult you, but that is definitely the wrong answer here.
An acceptable answer might be something like "give me a little while to
read and understand BCP 30."  The privilege of speaking here carries the
responsibility of an honest effort to read the relevant document.

See http://www.rfc-editor.org/rfc.html
and especially http://www.rfc-editor.org/bcp-index.html


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>