On Apr 27, 2006, at 3:54 PM, Paul Robinson wrote:
How about instead of trying to fix SMTP - a perfectly good protocol
with lots of layers for encryption, authorisation, and decades of
experience shared between us all - why don't we try fixing the
people who respond to spam thereby making it an economically sound
marketing proposition?
OK, unrealistic, I accept. But no more unrealistic than replacing
SMTP any time soon.
A non-functional aspect of SMTP, per the specification, prohibits
assured verification of the sending host name. This minor exception
prevents an otherwise effective defense against many common abuses.
When done at the EHLO, a verified host name offers a name-based DoS
defense early in the SMTP session, and can describe a message path by
name without risks of network amplification. The name-based approach
offers tell-tale information about the SMTP client based solely upon
the history of their name server. The name-based approach also
reduces collateral blocking within shared address space.
When identifying clients solely by IP address, inordinate levels of
network amplification may be realized when assembling global
authorizations for a domain. Construction of such IP address lists
may require more than one hundred of DNS transactions for each right-
hand name questioned within a message. This IP address authorization
technique will jeopardize DNS owing to the pervasive and distributed
nature of email. A noticeable characteristic of this technique is
that it does not identify the controlling domain, nor does it afford
any DoS protections. The recent authentication techniques may invite
more names to be questioned using this highly dangerous technique.
It is not unrealistic to fix this broken aspect of SMTP EHLO
verification, and to discourage attempts at using IP address lists as
a means of authorization.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg