ietf-mxcomp
[Top] [All Lists]

Re: Benefits/costs of authorizing different identities

2004-04-05 11:44:47

On 4/3/04 at 9:49 AM -0800, Ned Freed wrote:

There's one other alternative that needs to be on the list: Perform a check of Resent-from: if it is present and From:. The analysis isn't materially different from the From:/Sender: checking case.

Agreed. In fact, I think the matter of checking domains that appear in the message data actually may mean developing some algorithms. For instance, checking the domain from one of Resent-Sender, Resent-From, Sender, and From, *in that order*, may be sufficient. Checking List-ID (which may not have an obvious domain name to check) or other List-* fields might be interesting. Overall, this says to me that "message header identities" might need to be considered as a set.

Given these tradeoffs, I would say that protecting the MAIL FROM (Return-Path) is of the most value. After that, protecting the From: header is of potentially greater value to a much smaller set of domains.

Protecting HELO/EHLO is of negligible value, as the HELO/EHLO value is not used for anything important.

I concur with this conclusion.

Protecting HELO/EHLO is valuable insofar as you establish a "chain of responsibility". Independent of some sort of reputation/accreditation database, that's not of much use, but at least it allows you to get into that game at some point. It's especially valuable if there is no MAIL FROM.

More and more, I'm thinking that we should say (in answer to the original question posed about which "identity" we want to consider) that we should consider *all* of HELO/EHLO, MAIL FROM, and message header "identities". That is, whatever mechanism we come up with, it should allow a domain to publish information about any of these "identities".

(Can you tell that I hate the word "identities" in this context? I'm always tempted to ask, "The identity of what? The message? The sending MTA? The person who sent message?" I'd rather we had different terminology for this, but it's probably too late for that.)

I don't think we should spend time in this group worrying about proposals which do not deal with domains contained in the message stream (e.g., things that use the .arpa domain).

pr
--
Pete Resnick <http://www.qualcomm.com/~presnick/>
QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102