--On 21 June 2009 23:34:16 -0700 Douglas Otis <dotis(_at_)mail-abuse(_dot_)org>
wrote:
On Jun 20, 2009, at 12:20 PM, Alessandro Vesely wrote:
...
OTOH, sender identification by domain could also be a way to
attribute responsibility. Strictly speaking, it is not necessary to
use a domain in order to send as an SMTP client. However, in
practice one needs an email address to do any legitimate use of
SMTP, and hence a domain is required.
Technically speaking, a domain is not required for SMTP. CSV was to
offer a DNS record type that explicitly declared a host as being an
outbound MTA. This would not in itself prevent abuse, but would help to
determine which compromised systems might be sending email and resolving
which domain is administrating the MTA.
SPF does not work well at resolving a domain that should be held
accountable for a few reasons-
a) risks high and impractical transaction overheads at attempts to
indirectly reference the customers of a provider.
Er, we already have ridiculous transaction overheads for email. Anything
that stopped spam would reduce the transaction overheads for legitimate
email by up to ten fold.
b) may not qualify any specific IP address for a positive result.
I'm not sure what that phrase means. If it means that some lookups result
in softfail or neutral results, then that actually doesn't matter much. The
passes and the fails still get us useful information. Anything else just
puts us back where we were before.
c) Mail From or PRA references do not resolve which domain administered
the MTA or actually sent the message.
It doesn't matter. If the domain owner devolves responsibility to the IP
address owner, then the mail is effectively from the domain owner, and they
can be held responsible for their email. Reputation services, and the law
can be applied as appropriate.
d) holds customers of a provider accountable for the provider's
stewardship without any solid evidence of their involvement.
Please expand, I don't understand this either.
Schemes that pass accountability onto what might be feckless
domain owners are inherently evil.
I disagree, _provided_ accountability is actually passed on.
+1
There should be greater concern accountability is correctly applied.
If the domain owners are feckless, then apply sanctions. Accountability HAS
to lie with domain owners if you want to establish reputation services
based on domain names, and most people do want to do that. If the domain
owner is found to be feckless, then reputation sanctions should be applied.
--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg