ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] 1. Inventory of Problems - Initial Connection of the SMTP Transaction (was 'Inquiry about CallerID Verification')

2003-11-30 20:23:23
from [Yakov Shafranovich] [Permanent Link] 
Hector Santos wrote:
[..]

Again, lets remember the main point here.  The SMTP state point, MAIL FROM:
is calling a black box validation function:

            MAIL FROM:   ----->  BLACKBOX VALIDATION.

WCSAP is just one method to do this.  It is highly effective, but present
scalibility/loading issues that need to be incorporated in its design.    As
a blackbox,  design a better MAIL FROM: validation concept, and it is easily
replaced.  No change to our SMTP server.  So from my point of view our SMTP
server is design to address a strong MAIL FROM validation concept.  That is
ALL I am proposing YAKOV et al to focus on. The PROTOCOL!   Then we can come
up with solutions and even then,  it is not going to be 1 single solution,
unless it something that really works 100% and addresses scalability issues.
Well my question here as per the other thread, is why do we need to do verification at the MAIL FROM point for the address itself? In the Internet realm shouldn't verifying the domain/IP be sufficient since the owner of that IP/domain is in responsible for it, not their individual users?
I have no problems with applying everything to the protocol itself. However, as the protocol stands right now, there is no need to rewrite it. Nothing steps *anyone* from doing checks at each state of the SMTP transaction, and many do so.
What I am getting from this and other related threads, is a need for the group as a whole to come up with a solid and concrete document which outlines the protocol and matches the proposals against the weak points in the protocol. That work has already begun with Alan, and we can perhaps shift our discussion to that topic on-list as well. We can start off with discussing what to do at the connect point of the SMTP transaction, and different proposals at that point. Therefore, I am chaning the subject and would like to continue the discussion on that topic.
We can start off with listing different approaches and their pros and cons here, as well as what possible tricks spammers use to get around them. 

Yakov

-------
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"All that is gold does not glitter" (J.R.R. Tolkien)
-------


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] 0. General - Inquiry about CallerID Verification, Hector Santos
Next by Date:  Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification), Eric S. Raymond
Previous by Thread:  Re: [Asrg] 0. General - Inquiry about CallerID Verification, Hector Santos
Next by Thread:  Re: [Asrg] 0. General - Inquiry about CallerID Verification, Yakov Shafranovich
Indexes:  [Date] [Thread] [Top] [All Lists]