ietf-mxcomp
[Top] [All Lists]

RE: Can you ever reject mail based on RFC2821 MAIL FROM?

2004-04-27 04:05:14

On Mon, 26 Apr 2004, Harry Katz wrote:

You cannot use SRS or any form of MAIL FROM rewriting to prevent joe
jobs.  It won't work.  The reason is that the receiver of the spoofed
mail has no way to distinguish mail from an SRS-compliant MTA from mail
that has been routed through a non-SRS compliant forwarder.  The only
way the receiver can reliably reject messages is that there remain no
significant population of non-821-checkers out there on the internet
that the spammers can find.  That is, if effectively everyone did the
check, then it might work, but thinking we'd ever even remotely get
there is, with all due respect, fantasy.

However the main problem with joe jobs is receiving the collateral spam,
and if you sign the envelope sender address then you can reject
illegitimate bounces without co-operation from anyone else. The fact that
recipients of a message forged "from"  your domain can use callouts to
detect the forgery is a bonus side-effect. The receiver does not need to
worry whether the sender uses SSAs or not: callout checks work either way.
However it would probably be worth extending SPF so that it can be used to
advertise that a domain uses SSAs.

I'm not sure why you mention forwarders in the paragraph above. They are
irrelevant to signed sender addresses, because SSA is an end-to-end
protocol, not hop-by-hop. If an SRS forwarder mangles the address then
that's a shame; the recipient will just have to use some other anti-spam
technique. No single technique will solve the problem by itself.

I also note that at the moment the majority of the joe-job volume is from
viruses not spam, and viruses won't bother to distinguish between domains
that do and do not sign addresses. Signed sender addresses will not
prevent all fogery but they will make a significant dent in it.

The only feasible way to stop joe jobs is for the receiver of the NDR
(not the receiver of the original message) to insert information in his
legitimate messages so he can determine whether a received NDR pertains
to a message that was actually sent out from that domain or not.  This
kind of solution can be implemented unilateraly by each receiving MTA
and does not require universal deployment of rewriting schemes in order
to be efffective.  This is also outside the charter of the MARID group.

This idea will sometimes cause legitimate bounces to be rejected, because
some bounce-like messages (especially vacation messages) do not contain
the original message. However they *are* sent to the message's reverse
path address which is why you should sign that. The scheme you outline
above is similar to applying SSAs to the reverse path, except you are
putting the signature in the message body rather than the envelope.

I noted in January (see http://dotat.at/log.html) that Russel Nelson's
q249 scheme (http://q249.org/) can be used in the way you describe.

-- 
Tony Finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/