ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Limited scope of work

2004-04-01 19:13:29
from [Greg Connor] [Permanent Link] 


the proposed mailfrom checking schemes do nothing to prevent a spammer
from creating useless addresses and placing them in mailfrom.

so the scheme merely blocks one particular kind of spammer abuse,
which spammers will be able to nicely route around.


--Gordon Fecyk <gordonf(_at_)pan-am(_dot_)ca> wrote:

We're not blind to that.

I'm going to jump in here because it's the most common argument I see
against envelope checking - that a spammer or other evil-doer is going to
find a new way to work within the system.

The idea is to make them accountable for doing it.  As in, "really, these
guys who operate example.com are abusing e-mail."
I agree with Gordon. (Yes, I'm doing a lot of agreeing today. Trying to set an example I guess :)
Remember, the thing we are trying to tackle is to force everyone (spammers included) to use their own domains - or at least not abuse *mine* if I opt-in for protection.
Yes, spammers could register their own domains, but I think of this as "a good problem to have". It's certainly better than what we have now. RHS block lists may start to be taken seriously. Domain registrars may step up and provide real verification and real penalties (like, spam from X number of different domains and we will cancel ALL domains that verify back to your mailing address)
Even going back a step, spammers *could* just run a scan to see who hasn't published their MAIL FROM information yet, and just forge those domains. But, once a solution is available, people who haven't picked it up yet will start to feel the pain, and it will be the efficient and cost-effective thing to do to publish their info. It will probably be some time before "a considerable number" of domains are protected, and even longer before blocking non-cross-checked email becomes attractive, but once MAIL FROM checking is possible, it's only a matter of time.
In other words, checking MAIL FROM is good for forgeries, and is in my opinion "necessary but not sufficient" for a multi-step multi-solution approach to spam in general. 



Absent other substantive changes, such as widespread addition of
dynamic DNS capabilities, they make SMTP work only as a direct channel
between the originator's site and the recipient's site.


Is this a bad thing?
Actually, it's NOT a forgone conclusion that mobile-but-legitimate or other dynamic approaches will break. Dynamic dns updates are one possible solution, not even the most attractive. I think the most attractive solution is what's presented in RFC2476, connect to your normal MSA on the SUBMIT port. Using your mobile or home ISP for return-path/MAIL FROM but asserting your own From: address is another option.
Options abound. The misconception that MAIL FROM checking "breaks" mobile sending has been referred to a lot, but I don't think it's an axiom. I think the majority of users might not notice, other than having to turn on SMTP AUTH and enter their password again.
Folks can still do clever stuff, like add permit records to their DNS on the fly, sort of a "pop-before-MARID" clever thing is possible... but it's not required for most implementations, I think.
If we could come to some agreement about mobile users, I think that would help frame ongoing discussions. How about this proposed language:
MAIL FROM checking might affect some mobile users. The flexibility of being able to send mail from anywhere is good for mobile users, but that same flexibility is well-abused by forgeries as well.
Multiple solutions to this problem exist; in most cases, mobile users should make sure that they have access to an MSA (port 587) that uses SMTP AUTH. Other solutions include using your home or mobile account as the Sender: while keeping your preferred address in the From: header (similar to what mailing lists do), or using VPN or web mail while on the road.
There may be other solutions to this problem as well. It is the responsibility of the domain owner to provide appropriate solutions for all authorized senders before publishing outgoing LMAP policies that might exclude them. 
<<<
Feedback on this language is appreciated... I am hopeful that the mobile-user issue doesn't become a show-stopper for MAIL FROM checking... I'm pretty sure that most domain owners would happily deal with SMTP AUTH or other appropriate solution if it means their domain will be protected. 

Thanks,
gregc
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Additional Changes for RFC2821 MAIL FROM checking, Greg Connor
Next by Date:  EHLO-based validation proposal, Dave Crocker
Previous by Thread:  RE: Limited scope of work, Gordon Fecyk
Next by Thread:  Re: Limited scope of work, Yakov Shafranovich
Indexes:  [Date] [Thread] [Top] [All Lists]