Alessandro Vesely <vesely(_at_)tana(_dot_)it> wrote:
Douglas Otis wrote:
CSV was to offer a DNS record type that explicitly declared a host as
being an outbound MTA. This would not in itself prevent abuse, but would
help to determine which compromised systems might be sending email and
resolving which domain is administrating the MTA.
It didn't help retrieving the responsible domain, though.
CSV intended to use the EHLO string _as_ the responsible domain, even
though it might be one of several subdomains under a single management.
Furthermore, it didn't do ranges, thus making it laborious to deny
sending to a bunch of hosts.
I agree it didn't "do ranges", since it seemed appropriate to allow
separate reputations for separate EHLO names.
In addition, CSA spec curiously had a "MAY" for an non-authorized host
with a non-ignored target resulting in weight 0.
That was an artifact of our being told that excessive queries for
the root "." would cause problems. The "MAY" covered how to program a
case which "should" never happen.
However, _client._smtp.domain-name records authorizing various targets
would be almost equivalent to setting SPF, or MX heuristics. (I'll
possibly add that to the next vhlo draft.)
I'm certainly game to do any needed updates to draft...csv...
AFAIK, all discussions eventually reach the conclusion that the
receiving server does not know which domain administers the client
MTA.
CSV was intended to address exactly that problem. We felt that the
vast majority of domains _could_ get by with half a dozen IP addresses
returned by a A)ddress record, and that for those that couldn't, the
ability to have separable reputations was an _advantage_. For a
reputation service, more than one reputation record per domain actively
sending (reasonable) email seemed simple enough.
FWIW the old ietf-marid-csv-csa asserts that
The SMTP [RFC2821] [RFC0821] protocol permits a client to declare
its affiliation, by asserting a domain name in the HELO or EHLO
announcement.
which is wrong. EHLO only allows it to declare its identity.
It's a relief, actually, to _finally_ have a useful correction to
these drafts!
I agree that "affiliation" was not the best choice of words in
draft-ietf-marid-csv-csa-02. "Affiliation" should be multi-valued,
with an individual sending MTA able to affiliate with multiple
entities.
OTOH, "identity" isn't quite right either. Though it is the term
used in RFC 2821, that RFC in no sense requires that the "identity"
identify a single server.
"Identity" would probably be better that "affiliation"; some other
term might be better than either...
Declaring the affiliation is VHLO's raison d'?tre.
Hmm... I still think "affiliation" deserves to be multi-valued...
--
John Leslie <john(_at_)jlc(_dot_)net>
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg