On 9/17/07, Frank Ellermann <nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> wrote:
Michael Kaplan wrote:
The core of this concept is that questionable unauthenticated email
will be bounced
I hope you mean "rejected", unsolicited bounces are evil.
Yes, in section 9 I summarize the Ironport data on the bounce problem, and
it is a real problem.
Sometimes legitimate email is unauthenticated; adopting a policy of
absolutely never sending a bounce in response to an unauthenticated email
will degrade the integrity of email. Banning all such bounces solves one
problem and creates another.
Indiscriminate bounces are the real problem with bounces. In section 9 I
demonstrate what would happen if 50% of the global email population used RIA
and 4% of incoming spam was bounced. The conclusion is that the average
user will receive a 0.2% increase in 'spam' volume.
Some individuals/entities will suffer a DDoS attack as their domains are
heavily spoofed by spammers. In this worse case scenario RIA will increase
their email volume by only 5% despite having 50% global participation in
RIA.
Again the real problem with bounces is indiscriminate bouncing, highly
selective bouncing is relatively inconsequential. 50% of the global
population would have near perfect protection from spam in exchange for only
a slight increase in erroneous bounces.
If whatever
you do is some kind of "receiver generated SPF database" I also hope
that folks like me, where all legit mails get a PASS, and anything
else (including traditional forwarder scenarios) gets an SPF FAIL,
don't need to worry about your concept.
Any email that gets an SPF FAIL will never be bounced.
You never send spammy email, and all of your email is already
authenticated. You will never even be aware of the existence of RIA as your
emails will never be bounced. You need never use a sub-address, or you can
use a deactivated sub-address - it really doesn't matter since your emails
are unambiguously ham so they will always directly reach the inbox. Almost
all email sent by individuals is unambiguously ham; most individual senders
will remain completely unaffected by RIA.
But I'm far from confident that that's the case, there are dubious
statements on your page. Example:
| A perfectly comprehensive SPF record would require every domain
| administrator in the world to constantly update their domain's
| SPF record; an impossible expectation.
As long as the IPs and/or domain names describing the "border" of an
alleged sender don't change the administrator has no reason to touch
her SPF sender policy.
This is good; RIA will never block authenticated email from reputable
senders. RIA will almost exclusively impact the less responsible senders
who do not authenticate and also get a poor rating via a statistical filter.
Existing SPF cannot authenticate forwarded email.
To some degree it can, receivers are free to whitelist forwarders
based on a HELO PASS for the outgoing MTAs of trusted forwarders,
and forwarders are free to become redistributors, i.e rewrite the
MAIL FROM.
This is also good; email sent via trusted forwarders will be considered
authenticated and RIA will not obstruct it. Some forwarders employ SRS, but
some don't. Email sent without a sub-address via an untrusted forwarder
that does not employ SRS will get bounced... but only if a statistical
filter classifies the email as 'unsure'.
[RIA]
Innocent third parties will be relatively unaffected by erroneous
bounces.
If innocent third parties with an SPF PASS/FAIL policy are affected
your system is broken. Many SPF participants can't add BATV to their
setup, or won't even if they could for various reasons.
Bounces will not be sent to an SPF FAIL. See section 9 as to the impact on
innocent third parties.
If innocent third parties without BATV or without SPF PASS/FAIL
policy are "relatively unaffected" they might have their own opinion
about this issue. As an example I'd never allow Outlook Express to
send "auto-responses". It's bad enough that I use this software at
the moment.
If you (and 50% of the global email population) instituted RIA and
subsequently became almost completely spam free, could you then live with
the fact that non-participants in RIA and non-participants in BATV will
suffer an average of a 0.2% increase in spam volume? Yes, a very small
number of individuals will suffer a 5% increase in erroneous bounce
traffic. 50% of the email population living spam free would be an
extraordinary thing; I for one would be willing to live with the guilt.
Thank you for you input,
Michael
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg