ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] 1a. Inventory of Problems - Spoofed mail addresses

2004-02-05 20:57:57
from [Brett Watson] [Permanent Link] 
Za'mbori, Zolta'n wrote:

If Aardvarks.example.com will be the MAIL FROM than MTA doing white-list
filtering at the SMTP level will refuse this email even the white-list
contains the email address of Bob.


So our scenario goes like this: Chris wants publisher Aardvarks to send an 
article to Bob. Chris is in Bob's whitelist, but Aarvarks is not. Should the 
message from Aardvarks be delivered to Bob on the basis that it was requested 
by Chris, although not sent *by* him as such? In other words, should the 
whitelisting be transferrable? If Bob has authorised Chris to send mail to 
him, can Chris then share that authorisation with Aardvarks? If so, is the 
authorisation a one-off thing, or a permanent thing? And can Aardvarks then 
share the authority with its "business partners"?

You can probably see where this is going. It's the situation that we have now 
with email addresses. I can create a single-use email address (like the one 
I've used for subscription to this list), but I can't control its 
dissemination and subsequent use. The best I can do is retire an address when 
it becomes abused beyond its worth. If I had a strong LMAP-like means of 
verifying sender addresses, then I could restrict incoming addresses to use 
by particular senders, but the senders could not easily share their authority 
to send. Anything more subtle than those two policies will be difficult to 
implement. Not impossible, but certainly complex.

So let us assume that Chris is NOT authorised to share his mail-sending 
authority with third parties. Acting on Chris' request, Aardvarks.example.com 
finds itself unable to send mail to Bob, because Bob's mail policies reject 
mail from unknown parties. What can Aardvarks do about this? One possibility 
is to mail the article to Chris instead, saying, "we were unable to deliver 
this article to Bob as you requested. Please forward it to him with our 
compliments, and suggest that he add Aardvarks to his mail white-list if he 
wishes to receive forwarded articles from us more conveniently in future."

If Chris is unable to forward the article to Bob himself, then he never had 
the authority to request the mailing in the first place.

Regards,
TFBW


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Its all over for Challenge Response, Roger B.A. Klorese
Next by Date:  RE: [Asrg] Its all over for Challenge Response, Hallam-Baker, Phillip
Previous by Thread:  Re: [Asrg] 1a. Inventory of Problems - Spoofed mail addresses, Alan DeKok
Next by Thread:  [Asrg] Re: 1a. Inventory of Problems - Spoofed mail addresses, Za'mbori, Zolta'n
Indexes:  [Date] [Thread] [Top] [All Lists]