ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Discussion of Consensus check: Domain Existence Check

2008-06-11 02:34:02
from [Charles Lindsey] [Permanent Link] 
On Tue, 10 Jun 2008 18:34:57 +0100, Douglas Otis 
<dotis(_at_)mail-abuse(_dot_)org>  
wrote:


On Jun 9, 2008, at 9:21 PM, Jim Fenton wrote:



Since it apparently isn't clear:  I am proposing retaining the
NXDOMAIN domain validity check as a MUST.  It is only the MX and A/
AAAA check that I'm proposing be changed from a SHOULD to a MAY.


The situation created by MS Exchange creates a problem where just an
NXDOMAIN check is still problematic.  While NXDOMAIN might occur for
any leaked X.400 address or typical "somebody(_at_)something(_dot_)invalid",
NXDOMAIN results might also occur with any proxy SMTP addresses
assigned by MS Exchange.  This occurs since MS Exchange assignments
and routing do not depending upon DNS records.  Such an NXDOMAIN test
would disrupt messages created by the company where I work, for
example.  In addition, unless the test goes one step further to
determine whether a domain appears to support SMTP, this would offer
far less utility in preventing address spoofing.  Nor could just an
NXDOMAIN test offer protection for non-SMTP domains.


But you have repeatedly failed to explain how a verifier could recognise  
and handle this case in a manner that did not leave a loophole for all the  
scammers and spoofers to walk through. If some message arrives with a From  
that includes a proxy SMTP address assigned by MS Exchange (which will  
surely result in NXDOMAIN), what do you want the Verifier to do? Is there  
some way that is can recognise this as a proxy address and let it through  
whilst still rejecting things apparently from the domain funny.ebay.com?

If some companies using MS Exchange allow such messages to escape, then I  
am afraid that is just Tough! It is a stupid behaviour. I might accept  
that domains whose TLD clearly did not exist could be exempted from the  
NXDOMAIN check in ADSP.

And what do you mean by a "non-SMTP domain. AKAIK the phrase is  
meaningless.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Discussion of Consensus check: Domain Existence Check, Douglas Otis
Next by Date:  Re: [ietf-dkim] Discussion of Consensuscheck: Domain Existence Check, Bill.Oxley
Previous by Thread:  Re: [ietf-dkim] Discussion of Consensus check: Domain Existence Check, Douglas Otis
Next by Thread:  Re: [ietf-dkim] Discussion of Consensuscheck: Domain Existence Check, Bill.Oxley
Indexes:  [Date] [Thread] [Top] [All Lists]