Dave Crocker wrote:
My more-careful answer is that we need to start somewhere that is
tractable and useful. Validating MTA.MailFrom is actually
dramatically more ambitious than validating MTA.Helo, because MailFrom
has this multi-hop chain back to the message's origination.
Good point.
...
For that matter, consider the author-based mta registrations schemes,
like RMX or SPF. They require that each of the 2000 domains register
the ISP's MTA, as well as every other MTA any of the users of those
2000 domains might need to post through, anywhere on the Internet.
The term "scaling problem" comes to mind.
Yes SPF has its problems. I do not know RMX sufficiently to comment.
What is useful about validating that one MTA is that we will then have
a basis for trusting its traffic.
I am not sure that will mean anything. Customers sometimes install CGI
/html scripts
that get exploited and they send spam from a responsible ISP without the
virtual
sites knowledge. Co-hosting locations have this problem almost daily.
I guess you could use that to measure how responsive the ISP was (or was
not)
to spam complaints. Why would that be better then measuring the ISP by
their IP address? I do agree that it adds tractability, I do not see how
it can
be used as the basis for trust unless the ISP is grossly unresponsive to
spam
issues and in that case the IP address is just as easy to block as a cert.
Virtual-host-X would still be black listed because virtual-host-Y was
stupid.
And co-hosted-A would still be black listed because co-hosted-B was stupid
when they use the ISPs MTA.
DR> How does that help
DR> control spam? I agree it would help when tracking down the source of spam.
First of all, being better able to track down the source of spam is
quite a good thing, especially compared with our current state of
affairs.
Yes it would greatly help the tractability issue.
Second, depending upon the nature and strength of the MTA validation
scheme, knowing that an MTA is "well-behaved" means that it does not
send spam.
Works in the corporate world. Not sure it has any meaning in the
co-hosting and
virtual hosting world - other than tractability.
In summary I agree it would be useful in tractability. And it would help
with spam from dial-up-ISPs where they are the source. I wonder how much
spam comes from static IP address vs dynamic address?
I would like to see the domain registrars issue MTA certs when you pay
for a domain.
And I would like to see ISP-MTA certs issued that allowed an ISP to
co-sign a cert that
says virtual-host-X or co-hosted-A MTA is in fact associated with this
ISP. This
adds accountability to the virtual host and does not black list
non-spam-virtual hosts
on the same IP address.
Then when the intranet system contacts the ISP from inside the intranet the
ISP MTA can use the correct domain cert for authentication saying that
ISP-P MTA is a proxy for domain-D. Then the email can be traced down
to the domain that caused the problem. Now if the domain uses the ISPs
MTA - it is traceable to the domain. If they do not use the ISP's MTA
then they use the ISP's co-signed cert for their domain to say it is
domain-D and I
am really at 'ISP' so you can find me.
In both cases the receiving MTA can check the cert chain from the registrar
to the domain that sent the email.
--
Doug Royer | http://INET-Consulting.com
-------------------------------|-----------------------------
Doug(_at_)Royer(_dot_)com | Office: (208)520-4044
http://Royer.com/People/Doug | Fax: (866)594-8574
| Cell: (208)520-4044
We Do Standards - You Need Standards
smime.p7s
Description: S/MIME Cryptographic Signature