[Subject changed, was "Re: [Asrg] Re: [1] Why SPAM is worse in SMTP than
in other protocols". Mod.]
Tony Toews wrote:
At 08:18 PM 2003/12/22 -0500, you wrote:
The LMAP discussion document (based on Hadmut's comments in RMX),
says that the single hop use of SMTP is a large part of the reason why
spam is so wide-spread. There are 100's of millions of senders, each
sending to only 100's of thousands of recipient MTA's.
> How is this behavior helpful to stopping spam?
If that imbalance in the network was addressed, spam would become
significantly more manageable. It wouldn't stop entirely, but having
a blacklist of 100K MTA's is signficantly easier than having
blacklists of millions of IP's.
..
From my very simplistic view of the email systems it seems to me that
the msgid id could be part of the verification mechanism. The
originating MTA stamps the outgoing email with a unique message id.
Once the header portion of the email is received then the recipient MTA
does a name lookup on the originating MTA and verifies that the
originating MTA sent that msgid. Once the receipient MTA finishes
accepting the email the originating MTA then never uses that msgid again.
...
This approach is outlined by William Elan (he calls it "callback"):
http://www.elan.net/~william/asrg-emailpathverification-presentation.pdf
This is also mentioned in the CRI proposal (level 2):
http://www.ietf.org/internet-drafts/draft-irtf-asrg-cri-00.txt
This basic argument against this is that it is very resource intensive,
with a lot of extra costs such as more powerful servers that can handle
callbacks, more bandwidth, and extra disk space to store IDs. There are
also DOS issues: someone forging a domain can cause the forged domain to
go under with too many callbacks. There are privacy issues as well, and
possible replay attacks.
However, the bottom line here, is that why go through the trouble of
checking every single message. Granted that it increases costs,
nevertheless if we can significantly reduce the problem through
verification of MTAs as opposed to senders and messages, why go through
the extra costs of message verification. This proposal is on the table,
but we will pursue it only if a significant advantage vs. costs can be
proven for this way of doing things, over others requiring less costs.
Yakov
-------
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"Some lies are easier to believe than the truth" (Dune)
-------
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg