----- Original Message -----
From: "Gordon Fecyk" <gordonf(_at_)pan-am(_dot_)ca>
To: <ietf-mxcomp(_at_)imc(_dot_)org>
Sent: Tuesday, March 30, 2004 4:02 PM
Subject: RE: Limited scope of work
Actually, that is EXACTLY the mindset that should be adopted. If we don't
adopt this mindset we might as well trust everything by default like we
have
for the past fifteen+ years. Or is it twenty+ years?
I couldn't agree with you more.
Yesterday, we rejected over 49,000 hits with INVALID HELO and spoofs, all
immediately rejected with no degradation on the system. A new "tough"
enforcement based on SMTP compliancy is the only solution here. All this
"relaxation" gets us no where and I'm sorry, I will continue to say that
LMAP's single biggest benefit is protection against local domain spoofing.
The only thing remote domain validation can be trusted with is a
"rejection." and that's the only "problem" with it in the forwarding area,
which is reduced and minimized once the "middle ware" can be trusted and
since we can't get to that level, well, that tells you even more remote
domain validation can't be reliable.
"DNS people" (and I don't mean that in a bad way) can really make great
strives by promoting the idea that systems can "protect" themselves by
publishing the DNS records for the main purpose of protecting themselves,
first. But the idea or promotion that others can "borrow" these remote
policies is leading people down the wrong path. Its only useful if one is
going REJECT a system and only in this vain can it be useful. That is not
to say, that a PASS can't be trusted, but it does say, with empirical
results, that it will (and has) provided a higher degree of False Positives
as oppose to a lower degree of false negative with rejection results.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com