Alan DeKok wrote:
Yakov Shafranovich <research(_at_)solidmatrix(_dot_)com> wrote:
If the entire purpose of these proposals is to make sure that the sender
is who he claims to be according to DNS information,
I would say "has permission to claim association with a domain"
than what we could
do is create an ESMTP extension to pass sender's information to the
server MTA which will be verified via DNS. Since we need to change MTA
software to support sender rewriting schemes, we might as well add a new
extension instead, to pass that information explicitly.
Sounds fine to me. Can we have a show of hands from people in the
IETF who are *not* opposed to modifying SMTP?
I am not talking about modifying SMTP itself, rather adding an optional
ESMTP extension to it. Servers using this extension would be
whitelisted, giving people incentive to use it. Servers, that do not
will be treated like they are today. The underlying SMTP protocol will
not be modified in any way.
In SMTP AUTH RFC there is an AUTH parameter for the MAIL FROM command
which indicates the sender. If you use some similar mechanism to pass
sender information, you do not have to mess around with changing the
semantics of the envelope sender that are defined in RFC 2821.
Of course, that would assume that you trust the MTA which brings us back
to two separate problems:
1. We are trying to authenticate the incoming MTA.
2. We are trying to authenticate the relationsh between the sender's
domain and the incoming MTA.
DRIP addresses #1, while the other LMAP proposals address #2. What I see
as a problem is that sender's identity is not being explicitly given,
rather it is implied from #2. I would be much happier if the incoming
MTA would pass me the sender's identity and the question of
authentication of MTAs would be separate.
For example, with DRIP you can tie MTAs to domains and then to a
reputation service for IPs/domains of incoming MTAs. Then you would have
a separate mechanism for passing the sender's identity. This would
protect you from having trusted MTAs relay spam from hijacked computers
since the two identities will remain separate.
99.99% of the spam I get is forged. Call me naive, but this says to
me that spammers believe that forgery is an important part of the
spamming process.
Well the question is, imagine is the email system had identity. Would it
have made a difference?
Yakov
-------
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"Be liberal in what you accept, and conservative in what you send" (Jon
Postel)
-------
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg