Re: [Asrg] Re: 6. Proposals: MTA MARK - and a LMAP note

Fridrik Skulason wrote:
> [snipped  worm discussion]
I have to cast my vote on the side of using 'worm' instead of virus. 
This is a community of professionals, who've volunteered to contribute 
their time and knowledge, and I think it's pretty clear Fridrik should 
know what he's talking about.
> > The mention of CodeRed and Nimda is in a section that argues
> > that one cannot trust on users to update their computers, even if the
> > security holes are some month old and patches exist for quite some time,
> > just like you can't count on them to configure their programs correctly 
> > as can be seen from the number of open proxy servers.
> All I was saying is that CodeRed is a bad example, as someone might 
> incorrectly assume that MTA MARK would have been effective against it.
It's easy enough to just say "Users cannot be trusted to keep their 
machines secure and up to date." If there's anyone in the IETF 
commmunity who doesn't believe that, they probably haven't been exposed 
to users recently (within the past 9 or so years).
> > >  "This is one of my machines, but it is not authorized to send mail
> > >   from my domain" - this result would typically indicate a compromised
> > >   machine - either trying to send out worms or spam.
> > >
> > >  "This is not one of my machines, and therefore it is not authorized
> > >   to send mail from my domain" - this result would either indicate
> > >   a forgery or perhaps a "roaming salesman" instance.
> > >
> > > What I don't quite see is how LMAP would distinguish between those two 
> > > cases - or if it can indeed do so.  Clarification, anyone?
> > LMAP can't distinguish and it is IMHO irrelevant. The machine is not
> > authorized to send emails with a sender address from domain example.com,
> > regardless under whom's authority the machine is.
> This is not relevant to MTA MARK, of course, but the issue is not
> irrelevant, as the appropriate reaction would be different.  In the 
> first case the the owners of the domain in question would hopefully
> want to track down the compromised machine and take care of the
> problem.
>
> In the second case, the owners of the domain would only be interested 
> in tracking down the machine if they were planning to go after the
> person responsibel for well..."fraud".
>
> I just brought this up because it seemed useful if LMAP would be able to
> distinguish between those two cases.
The appropriate reaction on the part of the recipient MTA (remember, 
there is no human involvement in the mail transport system after 
origination) is to reject the message with a PERMFAIL code. If LMAP 
catches on, the incidence of attempted domain fraud will drop because it 
will be clearly seen as futile. There's no reason to bother the domain 
owner to let them know that someone's committing fraud, the domain owner 
implemented LMAP so they would never have to hear about it. Similarly, 
if you were receiving clearly unauthorized or abusive traffic from a 
specific address, regardless of SMTP or otherwise, you would report it 
to the owner of the address range, just as it sometimes happens now. The 
address owner could coincide with the owner of the claimed domain, but 
that doesn't matter.
If Alan DeKok hasn't been following this, one of us may want to bring it 
to his attention. Considering that this point did spark some debate, 
verbiage might be necessary in the draft documenting this decision.
Philip Miller



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg