Re: [Asrg] Re: 6. Proposals: MTA MARK - and a LMAP note
2003-12-12 05:57:42
Fridrik Skulason wrote:
[snipped worm discussion]
I have to cast my vote on the side of using 'worm' instead of virus.
This is a community of professionals, who've volunteered to contribute
their time and knowledge, and I think it's pretty clear Fridrik should
know what he's talking about.
The mention of CodeRed and Nimda is in a section that argues
that one cannot trust on users to update their computers, even if the
security holes are some month old and patches exist for quite some time,
just like you can't count on them to configure their programs correctly
as can be seen from the number of open proxy servers.
All I was saying is that CodeRed is a bad example, as someone might
incorrectly assume that MTA MARK would have been effective against it.
It's easy enough to just say "Users cannot be trusted to keep their
machines secure and up to date." If there's anyone in the IETF
commmunity who doesn't believe that, they probably haven't been exposed
to users recently (within the past 9 or so years).
"This is one of my machines, but it is not authorized to send mail
from my domain" - this result would typically indicate a compromised
machine - either trying to send out worms or spam.
"This is not one of my machines, and therefore it is not authorized
to send mail from my domain" - this result would either indicate
a forgery or perhaps a "roaming salesman" instance.
What I don't quite see is how LMAP would distinguish between those two
cases - or if it can indeed do so. Clarification, anyone?
LMAP can't distinguish and it is IMHO irrelevant. The machine is not
authorized to send emails with a sender address from domain example.com,
regardless under whom's authority the machine is.
This is not relevant to MTA MARK, of course, but the issue is not
irrelevant, as the appropriate reaction would be different. In the
first case the the owners of the domain in question would hopefully
want to track down the compromised machine and take care of the
problem.
In the second case, the owners of the domain would only be interested
in tracking down the machine if they were planning to go after the
person responsibel for well..."fraud".
I just brought this up because it seemed useful if LMAP would be able to
distinguish between those two cases.
The appropriate reaction on the part of the recipient MTA (remember,
there is no human involvement in the mail transport system after
origination) is to reject the message with a PERMFAIL code. If LMAP
catches on, the incidence of attempted domain fraud will drop because it
will be clearly seen as futile. There's no reason to bother the domain
owner to let them know that someone's committing fraud, the domain owner
implemented LMAP so they would never have to hear about it. Similarly,
if you were receiving clearly unauthorized or abusive traffic from a
specific address, regardless of SMTP or otherwise, you would report it
to the owner of the address range, just as it sometimes happens now. The
address owner could coincide with the owner of the claimed domain, but
that doesn't matter.
If Alan DeKok hasn't been following this, one of us may want to bring it
to his attention. Considering that this point did spark some debate,
verbiage might be necessary in the draft documenting this decision.
Philip Miller
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [Asrg] Re: 6. Proposals: MTA MARK, (continued)
- Re: [Asrg] Re: 6. Proposals: MTA MARK, Fridrik Skulason
- Re: [Asrg] Re: 6. Proposals: MTA MARK, Philip Miller
- Re: [Asrg] Re: 6. Proposals: MTA MARK, Markus Stumpf
- Re: [ASRG] 0. General - Etymology trivia: "virus", Chris
- Re: [Asrg] Re: 6. Proposals: MTA MARK - and a LMAP note, Fridrik Skulason
- Re: [Asrg] Re: 6. Proposals: MTA MARK - and a LMAP note,
Philip Miller <=
- Re: [Asrg] Re: 6. Proposals: MTA MARK, Mark
- Re: [Asrg] Re: 6. Proposals: MTA MARK, Yakov Shafranovich
- Re: [Asrg] Re: 6. Proposals: MTA MARK, B. Johannessen
- Re: [Asrg] Re: 6. Proposals: MTA MARK, Yakov Shafranovich
- Re: [Asrg] Re: 6. Proposals: MTA MARK, Tomi Panula-Ontto
|
|
|