ietf-asrg
[Top] [All Lists]

[Asrg] 6. Proposals - C/R and "callbacks"

2003-12-23 14:09:44
[Subject changed, was "Re: [Asrg] Re: [1] Why SPAM is worse in SMTP than in other protocols". Mod.]

Tony Toews wrote:
At 08:18 PM 2003/12/22 -0500, you wrote:

  The LMAP discussion document (based on Hadmut's comments in RMX),
says that the single hop use of SMTP is a large part of the reason why
spam is so wide-spread.  There are 100's of millions of senders, each
sending to only 100's of thousands of recipient MTA's.

> How is this behavior helpful to stopping spam?

  If that imbalance in the network was addressed, spam would become
significantly more manageable.  It wouldn't stop entirely, but having
a blacklist of 100K MTA's is signficantly easier than having
blacklists of millions of IP's.

..

From my very simplistic view of the email systems it seems to me that the msgid id could be part of the verification mechanism. The originating MTA stamps the outgoing email with a unique message id. Once the header portion of the email is received then the recipient MTA does a name lookup on the originating MTA and verifies that the originating MTA sent that msgid. Once the receipient MTA finishes accepting the email the originating MTA then never uses that msgid again.
...

This approach is outlined by William Elan (he calls it "callback"):

http://www.elan.net/~william/asrg-emailpathverification-presentation.pdf

This is also mentioned in the CRI proposal (level 2):

http://www.ietf.org/internet-drafts/draft-irtf-asrg-cri-00.txt

This basic argument against this is that it is very resource intensive, with a lot of extra costs such as more powerful servers that can handle callbacks, more bandwidth, and extra disk space to store IDs. There are also DOS issues: someone forging a domain can cause the forged domain to go under with too many callbacks. There are privacy issues as well, and possible replay attacks.

However, the bottom line here, is that why go through the trouble of checking every single message. Granted that it increases costs, nevertheless if we can significantly reduce the problem through verification of MTAs as opposed to senders and messages, why go through the extra costs of message verification. This proposal is on the table, but we will pursue it only if a significant advantage vs. costs can be proven for this way of doing things, over others requiring less costs.

Yakov

-------
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"Some lies are easier to believe than the truth" (Dune)
-------


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>