ietf-mxcomp
[Top] [All Lists]

Re: Benefits/costs of authorizing different identities

2004-04-05 19:25:40


Dave Crocker wrote:


My more-careful answer is that we need to start somewhere that is
tractable and useful.  Validating MTA.MailFrom is actually
dramatically more ambitious than validating MTA.Helo, because MailFrom
has this multi-hop chain back to the message's origination.


Good point.

...
For that matter, consider the author-based mta registrations schemes,
like RMX or SPF.  They require that each of the 2000 domains register
the ISP's MTA, as well as every other MTA any of the users of those
2000 domains might need to post through, anywhere on the Internet.

The term "scaling problem" comes to mind.

Yes SPF has its problems. I do not know RMX sufficiently to comment.

What is useful about validating that one MTA is that we will then have
a basis for trusting its traffic.

I am not sure that will mean anything. Customers sometimes install CGI /html scripts that get exploited and they send spam from a responsible ISP without the virtual
sites knowledge. Co-hosting locations have this problem almost daily.

I guess you could use that to measure how responsive the ISP was (or was not)
to spam complaints. Why would that be better then measuring the ISP by
their IP address? I do agree that it adds tractability, I do not see how it can be used as the basis for trust unless the ISP is grossly unresponsive to spam
issues and in that case the IP address is just as easy to block as a cert.

Virtual-host-X would still be black listed because virtual-host-Y was stupid.
And co-hosted-A would still be black listed because co-hosted-B was stupid
when they use the ISPs MTA.

DR>  How does that help
DR> control spam? I agree it would help when tracking down the source of spam.


First of all, being better able to track down the source of spam is
quite a good thing, especially compared with our current state of
affairs.

Yes it would greatly help the tractability issue.

Second, depending upon the nature and strength of the MTA validation
scheme, knowing that an MTA is "well-behaved" means that it does not
send spam.

Works in the corporate world. Not sure it has any meaning in the co-hosting and
virtual hosting world - other than tractability.

In summary I agree it would be useful in tractability.  And it would help
with spam from dial-up-ISPs where they are the source.  I wonder how much
spam comes from static IP address vs dynamic address?

I would like to see the domain registrars issue MTA certs when you pay for a domain. And I would like to see ISP-MTA certs issued that allowed an ISP to co-sign a cert that says virtual-host-X or co-hosted-A MTA is in fact associated with this ISP. This adds accountability to the virtual host and does not black list non-spam-virtual hosts
on the same IP address.

Then when  the intranet system contacts the ISP from inside the intranet the
ISP MTA can use the correct domain cert for authentication saying that
ISP-P MTA is a proxy for domain-D. Then the email can be traced down
to the domain that caused the problem. Now if the domain uses the ISPs
MTA - it is traceable to the domain. If they do not use the ISP's MTA
then they use the ISP's co-signed cert for their domain to say it is domain-D and I am really at 'ISP' so you can find me.
In both cases the receiving MTA can check the cert chain from the registrar
to the domain that sent the email.


--

Doug Royer                     |   http://INET-Consulting.com
-------------------------------|-----------------------------
Doug(_at_)Royer(_dot_)com                 | Office: (208)520-4044
http://Royer.com/People/Doug   | Fax:    (866)594-8574
                              | Cell:   (208)520-4044

             We Do Standards - You Need Standards


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

<Prev in Thread] Current Thread [Next in Thread>