Hector Santos wrote:
> ----- Original Message -----
>
>>Allows me to rephrase this - This is a requirement that the receiver is
>>required to send the delivery failure notice back to the sender. It is
>>not a requirement that the address for that notice should exist and be
>>functional, or in your case be able to reach the RCPT TO stage.
>>Therefore, in practice this requirement is sometimes ignored since no
>>one wants to be sending email to non-existent addresses anyway, and many
>>filtering systems for spam will not send back a failure notice.
>>
>>Yakov
>
>
> Sorry, I disagree with your interpretation of the current specification.
>
> A Mail From: must be valid if all other RFC specifications is to fit.
>
[..]
I am failing to see why so much resistance? All you are basically proving
is how the CURRENT specification needs to be tighten up.
[..]
What I am trying to point out that your specific proposal is not
compliant with the current architecture. What I do see is that the
current SMTP specification has holes which need to be patched, and your
proposal is addressing one of those holes.
Whether the RFCs require a valid return address, or not, in spirit or in
letter of the law, is something Dave Crocker and Eric Raymond, and
others, who worked on the original 821 and 2821 RFCs can tell us. But
the fact today is that no one is expected to provide a valid address,
and any system relying on this, will fail in some cases unless the
existing RFCs are changed.
We understand that changes must be made. However, we need to justify
these changes before imposing them on the entire Internet. For example,
it is significantly more lightweight to verify domain/IP association via
LMAP than do an RCPT TO callback. Both your proposal and LMAP address
the same problem - forgery of the MAIL FROM address, except LMAP focuses
on verifying the domain, while you are verifying the actual address.
What we need to determine, is why should we go through the burden of
verifying the actual address, when for the purposes of reducing forgery,
verifying the domain is sufficient?
Let's say you have verified either the domain or the address, and the
message in question turns out to be spam. In both cases, you are going
to complain to the ISP of the domain, not the actual user! So why go
through the trouble of verifying the actual email address, when a domain
is sufficient?
Yakov
-------
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"Fight spam, but keep it in perspective" (Brad Templeton)
-------
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg