Mail From path registration was aimed at reducing a "backscatter"
spoofing. This problem had grown to where now most adopt strategies
that keep abusive messages from being issued by their servers in the
form of DSNs and where MTAs now normally verify valid recipients prior
to acceptance. The levels of abuse often required valid recipient
checks to conserve server resources. Secondly, most automated sources
of DSNs are now better at removing much of the body to keep abuse
out. IMHO, a "report" mime subtype for auto responses could also
reduce false positives.
Nevertheless, some now hope to base email acceptance upon Mail From
path registration or upon valid Author Domain Signatures. Some expect
either technique can be used to white-list their domain, and to limit
the issuance of DSNs. Unfortunately, determining whether a message is
within a registered Mail From path can expend many transactions, and
may fail for forwarded messages. Some have proclaimed DKIM can amend
Mail From path registration to include valid Author Domain Signatures
as alternative acceptance criteria. While that might sound good,
neither Mail From or PRA path registration prevent deceptive use of
From email addresses. The general goal behind ADSP was to prevent
From email address deception. So the other question that might be
asked, should ADSP practices be amended to include Mail From path
registration as an optional acceptance criteria for mailing-lists or
other third-party signers?
Those wanting to cross-the-beams, or to splice together the different
kinds of Mail Tubes are likely to expose users to fraudulent messages
that are indistinguishable from those of genuine mail. For SMTP to
survive, it needs to deal with abuse early within the process, which
entails acceptance at connections likely based upon consistent use of
hostnames. Receivers need to pay attention to hostnames reported by
any particular IP address, and not dismiss it because some path
registration had been found. This should not be hard, since normally
only a few hostnames used by each over long periods. Exceptions can
be handled separately. Sources that appear genuine then need to be
monitored individually, where this too is not hard when limited to
trusted sources. DNS based self references are easily manipulated,
and often DNS servers are also compromised systems. As such, finding
a matching address record in the forward direction says little unless
published by a trusted domain. The question of trust becomes more
difficult as a slew of new TLDs are added. It would be nice to have a
protocol that offered an easier way to determine answers to question
of who can be trusted without needing a massive database or a
centralized service. So which are the trustworthy domains?
DKIM/ADSP is really about mitigating ongoing fraud. Connecting the
Mail From Tube together with the From Tube defeats the From Tube's
otherwise good protection. The TPA-Label scheme offers a safe way to
combine Tubes via an authorization strategy. By not depending upon
path registration, a receiver is more likely to monitor for connection
abuse that can be determined without any additional transactions. A
trusted name list can be developed based upon those domains being
authorized-by-name. Third-party handlers would receive "votes of
trust" from domains who are attempting to protect against fraud in
disguise. Lately, I have received several mailing-list like messages
designed to appear as if from a mailing list or a social network with
whom I have subscribed. It is not hard to establish reasonable
thresholds of genuine traffic that would be needed to keep this type
of assessment from being easily gamed.
Unless your domain is a likely phishing target or perhaps a Fortune
500 company, ADSP is unlikely to offer the type of handling that may
be desired. However, the web today has become a massive voting
scheme, which is a fairly democratic trend. Admittedly, many have
learned how to game the system, but the gaming can be mitigated
through greater participation. Delegating domains can be detrimental,
and exchanging keys and synchronously setting up DNS references is
error prone and expensive, which together reduces the needed
participation. The TPA-Label scheme should make it easy for domains
to vote for the services being trusted by-name.
Trust-by-name, the only scheme that scales. :^)
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html