ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: 6 - Designated Relays Inquiry Protocol (DRIP)

2003-06-29 12:49:36
On Sun, 29 Jun 2003, Richard Rognlie wrote:

RMX (et al) deal with the envelope from address.  This proposal has
nothing to do with the envelope.  It is an attempt to sanitize the
hostname specified as the HELO/EHLO when connecting to a remote 
MTA.

IOW,  If I connect to a remote MTA and my MTA sends the greeting
EHLO play.gamerz.net.  That MTA can do a lookup of
my_ip_ad_dr._relays_._email_.play.gamerz.net and see immediately
that if it gets my.ip.ad.dr as the response, that, indeed, I am
a DRIP subscribed host.  If any other host attempts to connect
and claim to be play.gamerz.net, the IPs will not match (or there
will be no record at all).

You can already do this by setting proper reverse dns ip for the record
and reverse dns does allow for multipe names for the ip. So this is a
a proposal that indends to allow equvalent of reverse dns check for
when company running mail server does not have access to set reverse
dns as it wishes. 

As such I'm a lot more afraid of this being used by spammers themselve 
when they are hijacking ip space, using proxies, dialup, etc. Many 
spammers do have domains they have no problem letting everybody else know 
about as part of EHLO, in the envelope from, etc - domains are cheap 
and entering bogus data there is easy - so they can afford to register 
one new domain for each dozen million emails sent (i.e. one or more new 
domain every day...).

Long ago I also mentioned that good dns check/security model should 
not be tying authorization to direct dns alone but to direct dns AND 
reverse dns as well (so that we have two separate distinct authenticion
paths and two sets of authorities to confirm your identity in a way
- this will also stop spammers from being able to so easily get and use 
new virtual identites/domains. And yes, I know  many do not like this 
because they run their mail servers on dsl, but in reality even for dsl, 
you should be able to get reverse dns set properly to your mail server 
even if you only have one ip ip (as long as its not dynamic). 

And going futher on this, I'v thought about it for a while actually and 
came to conclusion that reverse dns records should be used to authenticate
servers (like now) but stronger authentication methhods should be used, 
I'd favor SSL certificates, self-signed and tied to special reverse dns
record. And for those who can not control reverse dns a workaround can be 
provided by having well known certificate authority also sell similar 
certificates. I'll provide details on this and number of my other proposals
some time in the future, when I think through research group is a little 
better organized...

---
William Leibzon
Elan Communications Inc. 
william(_at_)elan(_dot_)net



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg