ietf-asrg
[Top] [All Lists]

Re: [Asrg] "New Email Protocol Replaces SMTP"

2006-04-27 17:21:58

On Apr 27, 2006, at 3:54 PM, Paul Robinson wrote:


How about instead of trying to fix SMTP - a perfectly good protocol with lots of layers for encryption, authorisation, and decades of experience shared between us all - why don't we try fixing the people who respond to spam thereby making it an economically sound marketing proposition?

OK, unrealistic, I accept. But no more unrealistic than replacing SMTP any time soon.

A non-functional aspect of SMTP, per the specification, prohibits assured verification of the sending host name. This minor exception prevents an otherwise effective defense against many common abuses. When done at the EHLO, a verified host name offers a name-based DoS defense early in the SMTP session, and can describe a message path by name without risks of network amplification. The name-based approach offers tell-tale information about the SMTP client based solely upon the history of their name server. The name-based approach also reduces collateral blocking within shared address space.

When identifying clients solely by IP address, inordinate levels of network amplification may be realized when assembling global authorizations for a domain. Construction of such IP address lists may require more than one hundred of DNS transactions for each right- hand name questioned within a message. This IP address authorization technique will jeopardize DNS owing to the pervasive and distributed nature of email. A noticeable characteristic of this technique is that it does not identify the controlling domain, nor does it afford any DoS protections. The recent authentication techniques may invite more names to be questioned using this highly dangerous technique.

It is not unrealistic to fix this broken aspect of SMTP EHLO verification, and to discourage attempts at using IP address lists as a means of authorization.

-Doug



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg