ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Some data on the validity of MAIL FROM addresses

2003-05-20 17:27:06
from [Vernon Schryver] [Permanent Link] 
From: Michael Rubel <asrg(_at_)mikerubel(_dot_)org>




...
That's right, I'm saying that where SMTP status codes leak useful
information about your system or your filters back to the spammer, they are
obselete.


What information about your system or filters is leaked to the spammer
by SMTP status codes that is not leaked by DSNs?  What information is
leaked by status codes regardless of whether it is leaked by DSNs?

Of that leaked information, which cannot be protected if you choose
by not saying too much in status messages or DSNs?


...
We don't disagree here.  I have no problem with SMTP responses that do not
leak information.  It's the ones that leak information I have a problem
with.  DSN's only leak information if a spammer gives his true return
address, and can be implemented so as to leak it very slowly....


What is that leaked information?


...
Can you think of a good reason *not* to hold off on sending a DSN until
the final (user's) filtering decision has been made--for example, when the
message gets dumped in the recipient's "spam" folder?  Apart from the 
system load argument, that is.


For one thing, some spam has forged sender information.  DSNs for that
spam will be sent to innocent people, clogging their mailboxes, and
worrying them.  People are often quite worried by bounces for mail
they didn't send.

For another, in principle spammers might distribute spam using DSNs, bouncing
millions of messages. 

I wish I didn't suspect you'd fix both of those problems by also turning
off DSNs.


No great crystal ball is needed to know that the consensus among IETF
participants will be to include enough information in DSNs and STMP
status messages to allow senders to figure out what happened.  This
is not only because too many of us are engineers of various sorts who
have to figure out what went wrong and so value such information.  It
is also because the bread and butter of many of us depends in part on
email.  When your living depends on email, you do not like false
positives from spam filters and you really do not like silent false
positives.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Some data on the validity of MAIL FROM addresses, Michael Rubel
Next by Date:  Re: [Asrg] Some data on the validity of MAIL FROM addresses, Kee Hinckley
Previous by Thread:  Re: [Asrg] Some data on the validity of MAIL FROM addresses, Michael Rubel
Next by Thread:  Re: [Asrg] Some data on the validity of MAIL FROM addresses, Kee Hinckley
Indexes:  [Date] [Thread] [Top] [All Lists]