ietf-asrg
[Top] [All Lists]

Re: [Asrg] Microsoft takes over British Telecom

2011-10-26 07:05:07
On 25/Oct/11 22:41, Douglas Otis wrote:
On 10/24/11 2:40 AM, Alessandro Vesely wrote:

With two policies out of two that choke on forwarding, I'd suspect the
culprit is the latter.  Indeed, forwarding implies that target
addresses are being kept on a server.  Hence, such server must have
some sort of authorization for using them.  Why don't we check that?

Efforts aimed at determining an "IP address authorization" based upon
some "message element" is flawed for two reasons:

I assume you mean SPF.  Flawed as it may be, it'd still be better than
nothing.

A sensible solution is a cryptographic method to authenticate the
domain of the outbound MTA.  DKIM does not authenticate the outbound
MTA, and remains prone to abuse in a manner similar to IP address
authorization.

Ditto.

Perhaps a new type of SMTP needs to be developed, where the
protocol remains unchanged with the exception of MTA authentication
requirements.  Call it AMTP for Authenticated Mail Transport
Protocol.

Why not call it SMTP-AUTH?  Indeed, it's much stronger than SPF or DKIM.

Once the MTA can be authenticated, the guesswork and mistakenly
purported domain issues go away.  There would not be any need to grey
list recipients once receivers are able to maintain and control who
they permit to issue messages.

Yep.

This may mean new domains need to solicit intended recipient
domains to request inclusion.

No, not only new domains.  Whenever someone prompts you for your email
address and your consent for using it, according to various laws, it
could/should store some form of auth token along with it.

That way, I'd address forwarded mail only.  That is, more or less,
what policies such as SPF and ADSP seem to be unable to handle
properly --I called it the culprit in the top quoted paragraph above.

Direct personal messages, where recipient addresses are set as part of
the message composition, need no authorization.  Of course, black
spammers will pretend to write personal messages, thereby breaking the
law, but grey spammers won't.

Such a process predicated on authentication scales far better and
would be less disruptive than reactive blocking of any "purported"
abuse.

I concur.  The ability to mechanically tell legitimate messages will
then allow spam reporting to be a well defined activity.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg