Is the job of this group to find something that works, or find
something that nobody else came up with?
The former.
Patents aren't an insurmountable problem, although unless your
patented scheme is vastly, enormously, better than all of the
alternatives, people are going to use schemes that are either P.D. or
where patent owners offer free licenses as Microsoft says they're
going to do with Caller ID.
The lack of a formal Internet Draft isn't insurmoutable either,
although lack of a concrete technical spec is. Microsoft has
published a Caller ID spec with as much detail as you'd find in an
I-D, and there's one coming shortly for Domain Keys.
The basic problem with per message callback verification is that it's
not a very good way to authenticate messages. It's an idea that's
come up from time to time and has never garnered much enthusiasm.
It's very expensive for recipients, since it requires a database
lookup over the net for each message, and unlike any of the LMAP
proposals or Domain Keys, the looked up data can't be cached for other
messages from the same domain. It's a disaster for senders if their
domain is even moderately spoofed, since they'll be hammered with
lookups for every spoofed message. (My abuse.net domain, for example,
sends under 10K messages a day, but there's up to a million daily
forged abuse.net spams from about two Russian spammers.)
It also seems to me utterly implausible that a high volume mailer like
AOL or Hotmail would be able to maintain a database of every message
they send, and process queries in real time. Unlike mail sending and
receiving, this cannot be farmed out to multiple independent parallel
servers, since the domain's database has to know about all the mail
sent from that domain and respond to all the queries.
If you had a concrete description of your system, we could probably
identify other problems with forwarded mail, roaming users, one-way
forwarders like computer.org and pobox.com, and "frankenmail" with the
head of a legit mail and the body of a spam. But given how
fundamental the performance and scaling issues are, I doubt you'll get
much more feedback here even if you did have a spec.
Several ASRG participants run e-mail consultancies, so if you really
wanted a more detailed critique, you could doubtless hire someone to
help perform one.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
http://www.taugh.com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg