Boy, it seems like an increasing number of the posts I've seen since
this list started come from posters who seem to be gravely misinformed
or deliberately spreading misinformation. (General comment, not directed
at Kee or Howard!) I hope this is something the ASRG reorg will try to
address. It seems like the discussion of the most promising proposals is
exceedingly rare. :-(
Apropos RMX (mail-from Reverse MX) and a similar proposal:
Kee Hinckley wrote:
At 6:09 PM -0700 6/27/03, Howard Roth wrote:
The idea behind this concept is to not modify current software, but
provide
additional stand-alone software that provides sender accountability.
In what way does this not modify existing software? The MTAs have to
be modified to support it, correct?
No, just the MUAs.
Also, I think Howard Roth is mistaken, in that if the current versions
of qmail, sendmail, and postfix supported RMX, the Internet would be
most of the way to adoption. Exchange and Notes would likely follow,
and another inevitable security bug announcement in a few of them will
cause the vast majority to upgrade. Result: the Internet is RMX ready
for any domain that wishes to do so to roll out and have it be highly
effective. Trying to get the majority of the world's MUA end users to
upgrade is much more difficult, IMO.
I had cisco.com and some other major domains whitelisted for a while,
but had to remove 'em due to repeated spam 'From' them.
abuse@<trademark>.com seemed uninterested in pursuing abuse of their
trademark.
Basically, the intent is for this method to be completely transparent
to the
users and therefore have no impact on web-mail services. I am
familiar with
my web-mail services using Ipswitch mail server software, but there
may be
other issues that you are alluding to that I may not be aware of.
The issue is that people send mail "from" one domain while using the
mail servers of another. This is done all the time for perfectly
legitimate reasons. Not only is it done on an individual level, it is
also done regularly in mass commercial mailings (which are sent by one
company on behalf of another). Using the "reply to" to authenticate
breaks all of that. Yahoo users can only send mail using Yahoo's web
mail. Macromedia can't send mail from "support(_at_)macromedia(_dot_)com" using
mx0's mail servers, and so on.
This capability is NOT broken with the RMX proposal. Any legitimate
users WILL be able to use the domain of their choice. There are at
least 3 ways yahoo users could continue to use their own servers in an
RMX-compatible world.
Mailing list servers need to be responsible for the email they send (in
the RMX sense), and with some minor tweaking, will be (some already are).
In an RMX world, domain-based DNSRBLs can be highly effective, with low
false positives and low false negatives.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg