Gordon,
I'm just going to pick out a few little points here about how LMAP is
complementary to your permissions system. Note that I agree with the general
principles of least privilege for email senders.
1. Reducing zombie population
Likewise, we HAVE to work on cutting down the ease of zombie recruitment,
and I believe that my attachments (and HTML!) permissions list idea
(basically a fine-resolution whitelist) is a *major* step in the right
direction there.
I agree with you here. This goal is very compatible with implementing an
LMAP system, because it means you have an authenticated ISP to send
(automated) complaints and abuse reports to, and if they're on the ball, the
user part will have been authenticated by them, so it becomes a matter of
economics for them to clean up their network, to reduce complaints or to
avoid black-listing because they are abusive to the Internet as a whole.
2. Preventing forgeries getting you infected
Even if one of those familiar senders WERE to get zombie-ized, the fact
that suddenly they're not behaving (SOMETIMES!) the way I expect them to
behave is enough to cause the irregular mail to be zapped, EVEN THOUGH
the real stuff they still occasionally send me legitimately will still
sail through to me just the way it always has.
If one of your legitimate correspondents catches a virus, there are a couple
things that could happen. If they send you a mail directly, odds are it gets
blocked by your ACLs. But imagine that the virus instead forges all of the
N^2 combinations of To and From using the addresses in the infected users
address book. There a chance (however slim) that you have a common
acquaintance from whom you'll accept an email that will infect you.
Now add authentication back into the mix:
If the 'vulnerable from' happens to be in another domain, the message will
be rejected at the recipient edge MTA as forged. If it's in the same domain
as the already infected person, then the ISP should be authenticating it.
Looks like a win-win proposition to me.
3. Sending back bounces to legitimate senders telling them that they were
out of line.
I don't see any point of E-mailing back (to who? AS IF there were a real
return address!) and telling them what to do to get past my checks!!??
Riiiiiiiight. No, a big part of the whole key to this thing is that the
legitimate senders know that their current behavior is acceptable
(perhaps JUST!) and that they may run into problems if they stray too far
from that standard (and different recipients may have set their filters
With LMAP, this works better. You will have a validated return path to send
a bounce back to, even after the message has been delivered locally. Thus,
if one of your legitimate senders just steps over the line (maybe attaches a
JPG that's 1K over what would have been tolerated), they'll get a bounce
saying it wasn't delivered, rather than wondering why you never responded.
Philip Miller
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg