Re: Input on identities
2004-04-07 13:02:01
On 4/7/04 at 7:34 PM +0200, Markus Stumpf wrote:
On Wed, Apr 07, 2004 at 11:49:39AM -0500, Pete Resnick wrote:
Many sites don't own records in the reverse space for their IP addresses,
Then we should question why this is so and if it is needed or if it
can be handled by their ISP as well.
That means constantly coordinating with the ISP as to which IP
addresses are and are not MTAs. For ISPs that just give out a block
of IP addresses to the customer, that may be a huge increase in
administrative burden.
And we should also question why ISPs don't handle the revDNS any more.
A separate discussion, but sometimes it is because of the above: The
ISP does not want to have to coordinate every time a customer makes a
change to their forward DNS.
And managing revDNS will probably be less work than to add LMAP type
records to all zones of all customers.
It depends on the setup. For an ISP with a large number of small
customers who run their own DNSs, it will be more work. For those
managing both forward and reverse, it depends on the number of MTAs
and how often they change addresses.
And the backdraw is that spammers can still use their networks of
cracked (mainly) dialin/DSL machines by publishing appropriate
information for their rogue zones and use them to spit out spam,
just like they do now.
I don't see a negative there. All I see is that HELO checking doesn't
solve every problem. It doesn't. Neither does checking MAIL FROM.
Neither does checking From:. Neither does checking the IP address
against an RBL. HELO checking does two things: If there's a record
that says "yes, that's my MTA", it allows you to trace back to the
domain owner. That allows you set up a domain
BL/accreditation/reputation system if you want. If there's a record
that says, "no, that's not my MTA", then you can reject the
connection after the HELO. Are those two things together worth the
trouble of doing this? Maybe. It depends on how cheap it is to
accomplish HELO checking. But saying that failing to solve other
problems is a *negative* isn't an argument against doing so.
Then we need another (DNS based?) accrediation system
I doubt it would be DNS based, but that's *way* out of scope for the
current discussion.
IP based lists are very simple, as they tell "the owner of the IP
space thinks this IP hosts a MTA that should sending messages across
the Internet". What each validator does with that information is up
to him. If some ISPs don't handle revDNS for their customers then
the market will kill those ISPs or they will handle revDNS for their
customers.
I agree. But doing a HELO based check isn't mutually exclusive with
doing IP checks. There are cases where each are beneficial.
The situation where IP based lists will not work is for MTAs on
dynamic address space. The question is whether we should encourage
hosting MTA on dynamic address space with regard to stability and
the spam problems we encountered over the last decade.
I have to wonder whether IPv6 is going to change the answer we might
give to such a question.
My fear is that LMAP style authorization mainly helps big sites to
be protected from joe jobs, but joe-loser.org who doesn't even know
what an IP adress is will be helpless and spammers will shift from
big mail service providers to zillions of small domains without
LMAP. The overall win will be zero for a very long time.
It's a reasonable fear, but I think over the long run even
joe-loser.org will get the folks managing their domain to insert the
appropriate record in the DNS to stop them from getting hit too. As
above, none of this solves the entire problem; it's just plugging one
hole in the dike that happens to be flowing like a firehose at the
moment.
--
Pete Resnick <http://www.qualcomm.com/~presnick/>
QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Input on identities, (continued)
- Re: Input on identities, Greg Connor
- Re: Input on identities, Alan DeKok
- Re: Input on identities, Doug Royer
- Re: Input on identities, Markus Stumpf
- Re: Input on identities, Greg Connor
- Re: Input on identities, Hector Santos
- Re: Input on identities, Dave Crocker
- Re: Input on identities, Pete Resnick
- Re: Input on identities, Tony Hansen
- Re: Input on identities, Markus Stumpf
- Re: Input on identities,
Pete Resnick <=
- Re: Input on identities, Markus Stumpf
- Message not available
- Re: Input on identities, Dave Crocker
- Re: Input on identities, Doug Royer
- Re: Input on identities, Markus Stumpf
- Re: Input on identities, Doug Royer
- Re: Input on identities, Markus Stumpf
- Re: Input on identities, Doug Royer
- Re: Input on identities, Markus Stumpf
- Re: Input on identities, Doug Royer
Re: Input on identities, Yakov Shafranovich
|
|
|