ietf-asrg
[Top] [All Lists]

Re: [Asrg] 0. General - anti-harvesting (was Inquiry about CallerID Verification)

2003-12-01 03:25:26
On Mon, 1 Dec 2003 19:51, Hector Santos wrote:
No, you got it.   And you raise a very excellent possible solution which I
like because it doesn't technically change the SMTP protocol.  It now
becomes a functional requirement.
...
Compliant servers must support VRFY as a way to validate return address.

I don't see how this, on its own, overlaps with a proposal like LMAP. If host 
X sends us mail with "MAIL From:<user(_at_)Y>", then we ask an MX for Y to 
"VRFY 
user(_at_)Y", all we have determined is whether <user(_at_)Y> is a "valid" 
address, for 
some loose definition of "valid". (One of my domains has a catch-all address 
in force at the moment anyhow, so *every* syntactically valid address is a 
"valid mailbox".) Critically, what we have *not* determined is whether host X 
is *authorised* to represent that address. That is what LMAP attempts to 
ascertain.

The reinstatement of VRFY would potentially give spammers a good way of 
evaluating their address lists. A spammer could also probe around for a 
verifiable address to use in the "MAIL From:" part of the dialogue. In the 
absence of an LMAP-type authorisation mechanism, this strikes me as a rather 
bad thing.

Is your response to this a challenge/response type scenario, where the 
(known-to-be-valid) return address is sent a message asking for confirmation? 
This is a nasty burden on the victim of fraud. We need the LMAP-type 
authorisation mechanism to act as a first-pass filter to reject blatant 
frauds.

Or perhaps I've missed your point. I haven't had the time to fully analyse all 
the messages on this list in the last couple of days.

Regards,
TFBW


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>